Nixpkgs security tracker

Dismissed

Permalink CVE-2026-28476

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 3 weeks ago by @mweinelt Activity log

Created suggestion 1 month, 4 weeks ago
@mweinelt dismissed 1 month, 3 weeks ago

OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication

OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.

References

GitHub Security Advisory (GHSA-pg2v-8xwh-qhcc) vendor-advisory
Patch Commit patch
VulnCheck Advisory: OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication third-party-advisory

Affected products

OpenClaw

<2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.14 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers