FKIE_CVE-2026-26322

Vulnerability from fkie_nvd - Published: 2026-02-19 23:16 - Updated: 2026-02-20 19:12
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Summary
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.
References
security-advisories@github.comhttps://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4Patch
security-advisories@github.comhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14Product, Release Notes
security-advisories@github.comhttps://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rfPatch, Vendor Advisory
Impacted products
Vendor Product Version
openclaw openclaw *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555",
              "versionEndExcluding": "2026.2.14",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected."
    },
    {
      "lang": "es",
      "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.14 de OpenClaw, la herramienta Gateway aceptaba una \u0027gatewayUrl\u0027 proporcionada por la herramienta sin restricciones suficientes, lo que podr\u00eda hacer que el host de OpenClaw intentara conexiones WebSocket salientes a objetivos especificados por el usuario. Esto requiere la capacidad de invocar herramientas que acepten anulaciones de \u0027gatewayUrl\u0027 (directa o indirectamente). En configuraciones t\u00edpicas, esto se limita a operadores autenticados, automatizaci\u00f3n de confianza o entornos donde las llamadas a herramientas est\u00e1n expuestas a no operadores. En otras palabras, esto no es un problema de ataque al paso para usuarios de internet arbitrarios a menos que una implementaci\u00f3n permita expl\u00edcitamente a usuarios no confiables activar estas llamadas a herramientas. Algunas rutas de llamada a herramientas permit\u00edan que las anulaciones de \u0027gatewayUrl\u0027 fluyeran hacia el cliente WebSocket de Gateway sin validaci\u00f3n o inclusi\u00f3n en lista blanca. Esto significaba que se pod\u00eda instruir al host para que intentara conexiones a puntos finales que no fueran de gateway (por ejemplo, servicios de localhost, direcciones de red privadas o IPs de metadatos en la nube). En el caso com\u00fan, esto resulta en un intento de conexi\u00f3n saliente desde el host de OpenClaw (y los errores/tiempos de espera correspondientes). En entornos donde el invocador de la herramienta puede observar los resultados, esto tambi\u00e9n puede usarse para sondeos limitados de accesibilidad de red. Si el objetivo habla WebSocket y es alcanzable, una interacci\u00f3n adicional puede ser posible. A partir de la versi\u00f3n 2026.2.14, las anulaciones de \u0027gatewayUrl\u0027 proporcionadas por la herramienta est\u00e1n restringidas a loopback (en el puerto de gateway configurado) o a la \u0027gateway.remote.url\u0027 configurada. Protocolos no permitidos, credenciales, consulta/hash y rutas no ra\u00edz son rechazados."
    }
  ],
  "id": "CVE-2026-26322",
  "lastModified": "2026-02-20T19:12:17.440",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-19T23:16:25.340",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.