PT-2026-32069 · Npm · Openclaw
Published
2026-03-31
·
Updated
2026-03-31
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Summary
The SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed.
Impact
An attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard.
Affected Component
src/shared/net/ip.ts, src/infra/net/ssrf.*Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit
d61f8e5672 (Net: block missing IPv6 special-use ranges).OpenClaw thanks @nicky-cc of Tencent zhuque Lab https://github.com/Tencent/AI-Infra-Guard for reporting.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw