CVE-2026-26324 – OpenClaw's SSRF protection could be bypassed us... (How to Fix)

Q: What is the severity of CVE-2026-26324?

CVE-2026-26324 has a CVSS score of 7.5 (HIGH). OpenClaw's SSRF protection could be bypassed using IPv4-mapped IPv6 addresses, allowing attackers to access restricted internal resources like localhost or private networks. This affects all OpenClaw installations prior to version 2026.2.14. Users of vulnerable versions are at risk of SSRF attacks.

📋 TL;DR

OpenClaw's SSRF protection could be bypassed using IPv4-mapped IPv6 addresses, allowing attackers to access restricted internal resources like localhost or private networks. This affects all OpenClaw installations prior to version 2026.2.14. Users of vulnerable versions are at risk of SSRF attacks.

💻 Affected Systems

Products:

OpenClaw

Versions: All versions prior to 2026.2.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any OpenClaw installation with SSRF protection enabled is vulnerable.

📦 What is this software?

Openclaw by Openclaw

View all CVEs affecting Openclaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, cloud metadata, or perform lateral movement within the network.

🟠

Likely Case

Information disclosure from internal services or metadata endpoints accessible via SSRF.

🟢

If Mitigated

Limited impact if network segmentation restricts internal access or if additional SSRF protections exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted IPv6 addresses to bypass SSRF filters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f

Restart Required: Yes

Instructions:

1. Update OpenClaw to version 2026.2.14 or later. 2. Restart the OpenClaw service. 3. Verify the patch is applied.

🔧 Temporary Workarounds

Network-based filtering

all

Block outbound requests to internal IP ranges at the network level.

WAF rule

all

Add a WAF rule to block requests containing IPv4-mapped IPv6 addresses.

🧯 If You Can't Patch

Restrict OpenClaw's outbound network access to only necessary external endpoints.
Implement additional SSRF validation at the application layer.

🔍 How to Verify

Check if Vulnerable:

Check if OpenClaw version is below 2026.2.14.

Check Version:

openclaw --version

Verify Fix Applied:

Confirm OpenClaw version is 2026.2.14 or higher and test SSRF protection with IPv4-mapped IPv6 addresses.

📡 Detection & Monitoring

Log Indicators:

Requests containing IPv4-mapped IPv6 addresses (e.g., 0:0:0:0:0:ffff:7f00:1) in logs.

Network Indicators:

Outbound connections from OpenClaw to internal IP ranges.

SIEM Query:

source="openclaw" AND (uri="*0:0:0:0:0:ffff:*" OR dest_ip IN private_ranges)

📊 Metadata

CVE ID: CVE-2026-26324

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: February 19, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19 Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product,Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26324, you might also want to check these: