CVE-2026-28467
Published: 05 March 2026
Summary
CVE-2026-28467 is a medium-severity SSRF (CWE-918) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28467 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting OpenClaw versions prior to 2026.2.2. The flaw resides in the attachment and media URL hydration functionality, which improperly handles user-supplied URLs, enabling remote attackers to force the server to fetch arbitrary HTTP(S) resources. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L), indicating medium severity with network accessibility but high attack complexity and changed scope.
Remote attackers can exploit this vulnerability if they can influence media URLs through model-controlled mechanisms such as sendAttachment or auto-reply features. Successful exploitation allows attackers to trigger SSRF requests to internal resources, potentially accessing metadata services or other localhost endpoints, and exfiltrate the fetched response bytes by packaging them as outbound attachments.
Mitigation is available via patches in OpenClaw commits 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae and 9bd64c8a1f91dda602afc1d5246a2ff2be164647, with administrators advised to upgrade to version 2026.2.2 or later. Additional details are provided in the GitHub security advisory GHSA-wfp2-v9c7-fh79 and the VulnCheck advisory on OpenClaw SSRF via attachment media URL hydration.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9913
Vulnerability details
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger…
more
SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing OpenClaw attachment/media URL handling directly enables T1190 exploitation of the server app; description explicitly notes SSRF to metadata services/localhost, enabling T1522 Cloud Instance Metadata API access and response exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates all user-influenced media/attachment URLs before hydration to block arbitrary external or internal HTTP(S) fetches at the root of this SSRF flaw.
Enforces information-flow policy on outbound requests so the server cannot reach internal resources or exfiltrate response data via sendAttachment/auto-reply paths.
Boundary-protection mechanisms (egress filtering, internal address blocking) stop the server from making SSRF connections to metadata services or localhost endpoints.