Server-Side Request Forgery (SSRF) in OpenClaw - CVE-2026-41297
Published: April 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to perform server-side request forgery.
The vulnerability exists due to improper control of outbound requests in src/plugins/marketplace.ts when downloading marketplace plugin archives and following redirects. A remote attacker can cause the application to follow a crafted redirect to perform server-side request forgery.