CVE-2026-26322

CVE-2026-26322 is a server-side request forgery (SSRF) vulnerability (CWE-918) in OpenClaw, a personal AI assistant, affecting versions prior to 2026.2.14. The issue resides in the Gateway tool, which accepts tool-supplied `gatewayUrl` parameters without sufficient restrictions or validation. This allows the OpenClaw host to initiate outbound WebSocket connections to arbitrary user-specified targets, including localhost services, private network addresses, or cloud metadata endpoints.

Exploitation requires low privileges (PR:L), typically limited to authenticated operators, trusted automation, or deployments where tool calls accepting `gatewayUrl` overrides are exposed to non-operators. It is not exploitable by arbitrary internet users in drive-by scenarios unless explicitly configured to allow untrusted tool invocation. Attackers can force outbound connection attempts, resulting in errors or timeouts, and in setups where results are observable, perform limited network reachability probing. If the target supports WebSocket and is reachable, further interactions may be possible. The CVSS v3.1 base score is 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), reflecting high confidentiality impact with low integrity and availability effects.

The OpenClaw security advisory (GHSA-g6q9-8fvw-f7rf), release notes for v2026.2.14, and fixing commit (c5406e1d2434be2ef6eb4d26d8f1798d718713f4) recommend upgrading to version 2026.2.14 or later. The patch restricts tool-supplied `gatewayUrl` overrides to loopback addresses on the configured gateway port or the preconfigured `gateway.remote.url`, while rejecting disallowed protocols, credentials, query parameters, hashes, and non-root paths.