GHSA-56F2-HVWG-5743

Vulnerability from github – Published: 2026-02-17 17:13 – Updated: 2026-02-17 17:13
VLAI
Summary
OpenClaw affected by SSRF in Image Tool Remote Fetch
Details

Summary

A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.

Affected Versions

  • npm: openclaw <= 2026.2.1

Patched Versions

  • npm: openclaw 2026.2.2 and later

Fix Commits

  • 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)
  • 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)

Details

The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.

This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).

Exploitability Notes

  • Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls).
  • The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).
  • Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments.
  • Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.

Thanks @p80n-sec for reporting.

Severity
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T17:13:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.\n\n## Affected Versions\n\n- npm: openclaw \u003c= 2026.2.1\n\n## Patched Versions\n\n- npm: openclaw 2026.2.2 and later\n\n## Fix Commits\n\n- 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)\n- 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)\n\n## Details\n\nThe Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.\n\nThis was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).\n\n## Exploitability Notes\n\n- Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted `image` arguments into tool calls).\n- The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).\n- Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP `Metadata-Flavor`, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments.\n- Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.\n\nThanks @p80n-sec for reporting.",
  "id": "GHSA-56f2-hvwg-5743",
  "modified": "2026-02-17T17:13:35Z",
  "published": "2026-02-17T17:13:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw affected by SSRF in Image Tool Remote Fetch"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.