CVE-2026-28467
Published: 05 March 2026
Summary
CVE-2026-28467 is a medium-severity SSRF (CWE-918) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing OpenClaw attachment/media URL handling directly enables T1190 exploitation of the server app; description explicitly notes SSRF to metadata services/localhost, enabling T1522 Cloud Instance Metadata API access and response exfiltration.
NVD Description
OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger…
more
SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.
Deeper analysisAI
CVE-2026-28467 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting OpenClaw versions prior to 2026.2.2. The flaw resides in the attachment and media URL hydration functionality, which improperly handles user-supplied URLs, enabling remote attackers to force the server to fetch arbitrary HTTP(S) resources. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L), indicating medium severity with network accessibility but high attack complexity and changed scope.
Remote attackers can exploit this vulnerability if they can influence media URLs through model-controlled mechanisms such as sendAttachment or auto-reply features. Successful exploitation allows attackers to trigger SSRF requests to internal resources, potentially accessing metadata services or other localhost endpoints, and exfiltrate the fetched response bytes by packaging them as outbound attachments.
Mitigation is available via patches in OpenClaw commits 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae and 9bd64c8a1f91dda602afc1d5246a2ff2be164647, with administrators advised to upgrade to version 2026.2.2 or later. Additional details are provided in the GitHub security advisory GHSA-wfp2-v9c7-fh79 and the VulnCheck advisory on OpenClaw SSRF via attachment media URL hydration.
Details
- CWE(s)