CVE-2026-41297

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31

Description A server-side request forgery (SSRF) issue exists in the marketplace plugin download functionality. The marketplace.ts module fails to restrict redirect destinations during archive downloads, allowing remote attackers to access internal resources or redirect requests to arbitrary internal or external servers by following unvalidated redirects.

Recommendations Update to version 2026.3.31 or later. As a temporary workaround, restrict access to the marketplace.ts module to minimize the risk of exploitation.