Cyber Resilience

CVE-2026-41297

MediumPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-41297 is a medium-severity SSRF (CWE-918) vulnerability in Openclaw Openclaw. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41297 is a server-side request forgery (SSRF) vulnerability (CWE-918) affecting OpenClaw versions prior to 2026.3.31. The issue resides in the marketplace plugin download functionality within the marketplace.ts module, which fails to validate or restrict redirect destinations during archive downloads. This allows attackers to manipulate redirects and force the server to make unauthorized requests to arbitrary internal or external resources. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and was published on 2026-04-21.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this over the network (AV:N) with low complexity (AC:L) by tricking a user into interacting with a malicious link or request (UI:R). Successful exploitation changes the scope (S:C), enabling high confidentiality impact (C:H) through access to internal resources, such as metadata services or other backend systems, while having low integrity impact (I:L) and no availability impact (A:N). Remote attackers can thus redirect server requests to sensitive internal endpoints or external servers under their control.

Mitigation is available in OpenClaw 2026.3.31 via a patch documented in GitHub commit 2ce44ca6a1302b166a128abbd78f72114f2f4f52. Security practitioners should consult the GitHub Security Advisory (GHSA-vjx8-8p7h-82gr) and Vulncheck advisory for detailed remediation steps, including upgrade instructions and validation of redirect handling in marketplace.ts.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers…

more

to redirect requests to arbitrary internal or external servers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF allows server to request arbitrary internal resources including metadata services, directly enabling T1522 (exploiting cloud metadata API for sensitive data) and T1552.005 (stealing credentials from cloud instance metadata APIs).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28467Same product: Openclaw Openclaw
CVE-2026-26324Same product: Openclaw Openclaw
CVE-2026-43527Same product: Openclaw Openclaw
CVE-2026-43526Same product: Openclaw Openclaw
CVE-2026-34504Same product: Openclaw Openclaw
CVE-2026-32019Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-22181Same product: Openclaw Openclaw
CVE-2026-6011Same product: Openclaw Openclaw
CVE-2026-31989Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of all inputs, directly addressing the failure to validate redirect destinations in marketplace.ts that enables SSRF to internal or external resources.

prevent

AC-4 enforces approved information flow policies, preventing the server from making unauthorized requests to arbitrary internal or external servers via manipulated redirects.

preventdetect

SC-7 monitors and controls communications at system boundaries, mitigating SSRF by blocking or detecting unauthorized outbound requests from the marketplace plugin.

References