CVE-2026-35629 — HIGH AI Security Vulnerability

CISO Take

CVE-2026-35629 is an incomplete SSRF remediation in openclaw's channel extensions where multiple handlers still issued raw fetch() calls against configured base URLs, bypassing the guard introduced for the earlier CVE-2026-28476. This is the same package with 67 documented CVEs — a pattern of systemic security debt, not an isolated oversight. Because channel extensions are user- or third-party-configured agent tools, an attacker who can influence extension configuration (including via ClawHub-distributed skills, as documented in AIID #1368) can redirect agent outbound requests to cloud metadata endpoints like AWS IMDS, harvesting IAM credentials without any exploit sophistication. No public exploit or CISA KEV listing exists today, but the trivially low exploitation bar and the sensitive targets reachable (credential endpoints, internal APIs) make this high priority. Upgrade openclaw to 2026.3.28 immediately and enforce egress filtering at the network layer to deny agent host requests to RFC1918 and link-local ranges as defense-in-depth.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High effective risk for cloud-hosted openclaw deployments. SSRF in agent frameworks is disproportionately dangerous because outbound HTTP is core to agent operation, normalizing network egress that masks malicious traffic. The incomplete-fix nature — second SSRF bypass in the same package within a short window — signals inadequate patch validation. No EPSS data is available and the vulnerability is not KEV-listed, but exploitation complexity is trivial: configuring a malicious base URL is sufficient, requiring no memory corruption or auth bypass. Cloud environments with instance metadata services reachable from agent hosts face the highest blast radius.

Attack Kill Chain

Initial Access via Extension

Attacker publishes or compromises an openclaw channel extension on ClawHub with a malicious base URL targeting an internal or cloud metadata endpoint, then induces the victim to install it.

AML.T0010.005

SSRF Exploitation

During normal agent operation, openclaw invokes the channel extension whose unguarded raw fetch() call issues an HTTP request to the malicious base URL, bypassing the SSRF guard.

AML.T0049

Internal Network Probing

Attacker pivots through the SSRF to enumerate internal hosts, reach cloud metadata services (AWS IMDS at 169.254.169.254), and identify high-value internal API endpoints.

AML.T0053

Credential Theft and Lateral Movement

Harvested IAM role credentials or internal API tokens from metadata responses are exfiltrated, enabling the attacker to escalate privileges, access cloud storage, or move laterally within the environment.

AML.T0083

Initial Access via Extension

Attacker publishes or compromises an openclaw channel extension on ClawHub with a malicious base URL targeting an internal or cloud metadata endpoint, then induces the victim to install it.

AML.T0010.005

SSRF Exploitation

During normal agent operation, openclaw invokes the channel extension whose unguarded raw fetch() call issues an HTTP request to the malicious base URL, bypassing the SSRF guard.

AML.T0049

Internal Network Probing

Attacker pivots through the SSRF to enumerate internal hosts, reach cloud metadata services (AWS IMDS at 169.254.169.254), and identify high-value internal API endpoints.

AML.T0053

Credential Theft and Lateral Movement

Harvested IAM role credentials or internal API tokens from metadata responses are exfiltrated, enabling the attacker to escalate privileges, access cloud storage, or move laterally within the environment.

AML.T0083

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.3.28	`2026.3.28`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch: Upgrade openclaw to >= 2026.3.28 immediately. The fix routes all channel extension fetch calls through fetchWithSsrFGuard, blocking rebinding to internal destinations.
Network workaround (if patching is delayed): Apply egress ACLs on openclaw agent hosts denying outbound HTTP/HTTPS to RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback addresses.
Audit all configured channel extension base URLs for unexpected internal or metadata destinations.
Detection: Alert on outbound HTTP requests from agent processes targeting 169.254.169.254, internal RFC1918 ranges, or unusual non-public endpoints; correlate with IAM credential issuance events following agent execution.

Classification

Data Extraction Auth Bypass Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management in deployment

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills distributed via ClawHub delivering credential-stealing malware, demonstrating active exploitation of the same third-party channel extension attack surface. CVE-2026-35629 provides a direct technical mechanism (SSRF via unguarded base URLs) that a malicious skill could weaponize to pivot from extension execution to internal credential theft without requiring malware delivery.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-35629?

CVE-2026-35629 is an incomplete SSRF remediation in openclaw's channel extensions where multiple handlers still issued raw fetch() calls against configured base URLs, bypassing the guard introduced for the earlier CVE-2026-28476. This is the same package with 67 documented CVEs — a pattern of systemic security debt, not an isolated oversight. Because channel extensions are user- or third-party-configured agent tools, an attacker who can influence extension configuration (including via ClawHub-distributed skills, as documented in AIID #1368) can redirect agent outbound requests to cloud metadata endpoints like AWS IMDS, harvesting IAM credentials without any exploit sophistication. No public exploit or CISA KEV listing exists today, but the trivially low exploitation bar and the sensitive targets reachable (credential endpoints, internal APIs) make this high priority. Upgrade openclaw to 2026.3.28 immediately and enforce egress filtering at the network layer to deny agent host requests to RFC1918 and link-local ranges as defense-in-depth.

Is CVE-2026-35629 actively exploited?

No confirmed active exploitation of CVE-2026-35629 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35629?

1. Patch: Upgrade openclaw to >= 2026.3.28 immediately. The fix routes all channel extension fetch calls through fetchWithSsrFGuard, blocking rebinding to internal destinations. 2. Network workaround (if patching is delayed): Apply egress ACLs on openclaw agent hosts denying outbound HTTP/HTTPS to RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback addresses. 3. Audit all configured channel extension base URLs for unexpected internal or metadata destinations. 4. Detection: Alert on outbound HTTP requests from agent processes targeting 169.254.169.254, internal RFC1918 ranges, or unusual non-public endpoints; correlate with IAM credential issuance events following agent execution.

What systems are affected by CVE-2026-35629?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin integrations, cloud-hosted AI agents.

What is the CVSS score for CVE-2026-35629?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Several channel extensions still used raw `fetch()` against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit `f92c92515bd439a71bd03eb1bc969c1964f17acf` routes those outbound requests through `fetchWithSsrFGuard` so configured endpoints cannot be rebound to blocked internal destinations. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f92c92515bd439a71bd03eb1bc969c1964f17acf`. ## Fix Commit(s) - `f92c92515bd439a71bd03eb1bc969c1964f17acf`

Exploitation Scenario

An attacker publishes a malicious openclaw channel extension to ClawHub configured with a base URL of http://169.254.169.254/latest/meta-data/iam/security-credentials/. An organization installs the extension as part of a customer support or workflow automation agent. During normal agent operation, the extension's outbound fetch() call — now unguarded — retrieves the AWS IMDS IAM role credentials assigned to the agent host. The extension handler forwards the credential response to an attacker-controlled endpoint embedded in its logic. The attacker uses the harvested temporary AWS credentials to enumerate S3 buckets, exfiltrate training data, or escalate to higher-privileged roles. The victim sees only normal agent traffic patterns.