Untriaged
Permalink
CVE-2026-32019
6.0 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): LOW
OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard
OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.
References
- GitHub Security Advisory (GHSA-4rqq-w8v4-7p47) third-party-advisory
- Patch Commit #1 patch
- Patch Commit #2 patch
- Patch Commit #3 patch
- Patch Commit #4 patch
- VulnCheck Advisory: OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard third-party-advisory
Affected products
OpenClaw
- <2026.2.22
- ==2026.2.22
Package maintainers
-
@chrisportela Chris Portela <chris@chrisportela.com>