CVE-2026-41297
Published: 21 April 2026
Summary
CVE-2026-41297 is a high-severity SSRF (CWE-918) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of all inputs, directly addressing the failure to validate redirect destinations in marketplace.ts that enables SSRF to internal or external resources.
AC-4 enforces approved information flow policies, preventing the server from making unauthorized requests to arbitrary internal or external servers via manipulated redirects.
SC-7 monitors and controls communications at system boundaries, mitigating SSRF by blocking or detecting unauthorized outbound requests from the marketplace plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF allows server to request arbitrary internal resources including metadata services, directly enabling T1522 (exploiting cloud metadata API for sensitive data) and T1552.005 (stealing credentials from cloud instance metadata APIs).
NVD Description
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers…
more
to redirect requests to arbitrary internal or external servers.
Deeper analysisAI
CVE-2026-41297 is a server-side request forgery (SSRF) vulnerability (CWE-918) affecting OpenClaw versions prior to 2026.3.31. The issue resides in the marketplace plugin download functionality within the marketplace.ts module, which fails to validate or restrict redirect destinations during archive downloads. This allows attackers to manipulate redirects and force the server to make unauthorized requests to arbitrary internal or external resources. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and was published on 2026-04-21.
Attackers with low privileges (PR:L), such as authenticated users, can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a user into interacting with a malicious link or request (UI:R). Successful exploitation changes the scope (S:C), enabling high confidentiality impact (C:H) through access to internal resources, such as metadata services or other backend systems, while having low integrity impact (I:L) and no availability impact (A:N). Remote attackers can thus redirect server requests to sensitive internal endpoints or external servers under their control.
Mitigation is available in OpenClaw 2026.3.31 via a patch documented in GitHub commit 2ce44ca6a1302b166a128abbd78f72114f2f4f52. Security practitioners should consult the GitHub Security Advisory (GHSA-vjx8-8p7h-82gr) and Vulncheck advisory for detailed remediation steps, including upgrade instructions and validation of redirect handling in marketplace.ts.
Details
- CWE(s)