CVE-2026-41361
Published: 23 April 2026
Summary
CVE-2026-41361 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the SSRF guard bypass flaw through upgrading OpenClaw to version 2026.3.28 or later.
Ensures validation of URL inputs to block crafted requests targeting the four unblocked IPv6 special-use ranges, preventing SSRF exploitation.
Enforces flow control policies that restrict server-side requests to internal or non-routable IPv6 addresses, addressing the SSRF bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF guard bypass in public-facing application directly enables T1190: Exploit Public-Facing Application to access internal resources.
NVD Description
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
Deeper analysisAI
CVE-2026-41361 is a Server-Side Request Forgery (SSRF) guard bypass vulnerability affecting OpenClaw versions before 2026.3.28. The flaw occurs because the SSRF protection mechanism fails to block four IPv6 special-use ranges, enabling attackers to craft URLs that target internal or non-routable IPv6 addresses and circumvent existing safeguards. It is associated with CWE-184 and CWE-918.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating network accessibility, high attack complexity, low privilege requirements, no user interaction, a change in scope, high confidentiality impact, low integrity impact, and no availability impact. Low-privileged attackers with network access can exploit it to bypass SSRF protections, potentially accessing sensitive internal resources via the unblocked IPv6 ranges.
Mitigation details are provided in advisories at https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m and https://www.vulncheck.com/advisories/openclaw-ssrf-guard-bypass-via-ipv6-special-use-ranges. Affected systems should be upgraded to OpenClaw 2026.3.28 or later to properly block the vulnerable IPv6 special-use ranges.
Details
- CWE(s)