CVE-2026-27488
Published: 21 February 2026
Summary
CVE-2026-27488 is a medium-severity SSRF (CWE-918) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-27488 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in OpenClaw, a personal AI assistant. It affects versions 2026.2.17 and below, specifically in the Cron webhook delivery functionality implemented in src/gateway/server-cron.ts. There, the fetch() function is invoked directly without SSRF policy checks, enabling webhook targets to access private, metadata, or internal endpoints. The vulnerability carries a CVSS score of 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-21.
Remote attackers require no privileges and can exploit this over the network with low attack complexity and no user interaction. By leveraging control over a webhook target URL in the Cron delivery process, they can direct the OpenClaw server to fetch unauthorized internal resources, resulting in low impacts to confidentiality, integrity, and availability.
Mitigation is provided in OpenClaw version 2026.2.19, which addresses the direct fetch() usage. Security advisories recommend upgrading to this patched release. Key references include the fixing commit at https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655, the release notes at https://github.com/openclaw/openclaw/releases/tag/v2026.2.19, and the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7711
Vulnerability details
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing webhook/Cron component enables direct exploitation of the app (T1190); attacker-controlled fetch() to internal endpoints facilitates network service discovery (T1046) and retrieval of cloud instance metadata credentials (T1552.005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow policies on outbound webhook fetch() calls so targets cannot reach private or internal endpoints.
Boundary protection mechanisms can filter or deny server-initiated requests to internal metadata and private networks from the cron webhook path.
Validates webhook target URLs before fetch() to reject addresses that resolve to internal or metadata endpoints.