PT-2026-39689 · Openclaw · Openclaw

Nicky

·

Published

2026-04-25

·

Updated

2026-05-11

·

CVE-2026-45000

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20
Description An issue exists in browser CDP profile creation that allows for server-side request forgery (SSRF), a flaw where a server is tricked into making requests to an unintended location. This occurs because strict-mode SSRF policy checks are skipped, enabling attackers to create stored profiles pointing to metadata endpoints or private networks that bypass security policies. These profiles are subsequently probed during normal profile status operations.
Recommendations Update to version 2026.4.20.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45000
GHSA-J4C5-89F5-F3PM

Affected Products

Openclaw