CVE-2026-43527

Summary

OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.4.14affected
OpenClawOpenClaw2026.4.14unaffected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
  • CWE-1188: CWE-1188 Initialization of a Resource with an Insecure Default

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References