SB2026043087 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

The vulnerability allows a remote user to perform a server-side request forgery-style pivot to untrusted second-hop targets.

The vulnerability exists due to improper restriction of outbound connection targets in the CDP /json/version WebSocket URL handling when processing a /json/version response containing a webSocketDebuggerUrl that points to a different host. A remote user can supply a crafted response to perform a server-side request forgery-style pivot to untrusted second-hop targets.

2) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote attacker to access files outside the expected repository root.

The vulnerability exists due to path traversal in remote marketplace plugin repository handling when accepting marketplace path sources that resolve through symlinks. A remote attacker can provide a crafted repository path to access files outside the expected repository root.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh
• https://github.com/openclaw/openclaw/pull/60469
• https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6
• https://github.com/openclaw/openclaw/pull/60556