CVE-2026-35629 is an incomplete SSRF remediation in openclaw's channel extensions where multiple handlers still issued raw fetch() calls against configured base URLs, bypassing the guard introduced for the earlier CVE-2026-28476. This is the same package with 67 documented CVEs — a pattern of systemic security debt, not an isolated oversight. Because channel extensions are user- or third-party-configured agent tools, an attacker who can influence extension configuration (including via ClawHub-distributed skills, as documented in AIID #1368) can redirect agent outbound requests to cloud metadata endpoints like AWS IMDS, harvesting IAM credentials without any exploit sophistication. No public exploit or CISA KEV listing exists today, but the trivially low exploitation bar and the sensitive targets reachable (credential endpoints, internal APIs) make this high priority. Upgrade openclaw to 2026.3.28 immediately and enforce egress filtering at the network layer to deny agent host requests to RFC1918 and link-local ranges as defense-in-depth.
What is the risk?
High effective risk for cloud-hosted openclaw deployments. SSRF in agent frameworks is disproportionately dangerous because outbound HTTP is core to agent operation, normalizing network egress that masks malicious traffic. The incomplete-fix nature — second SSRF bypass in the same package within a short window — signals inadequate patch validation. No EPSS data is available and the vulnerability is not KEV-listed, but exploitation complexity is trivial: configuring a malicious base URL is sufficient, requiring no memory corruption or auth bypass. Cloud environments with instance metadata services reachable from agent hosts face the highest blast radius.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.3.28 | 2026.3.28 |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Patch: Upgrade openclaw to >= 2026.3.28 immediately. The fix routes all channel extension fetch calls through fetchWithSsrFGuard, blocking rebinding to internal destinations.
-
Network workaround (if patching is delayed): Apply egress ACLs on openclaw agent hosts denying outbound HTTP/HTTPS to RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback addresses.
-
Audit all configured channel extension base URLs for unexpected internal or metadata destinations.
-
Detection: Alert on outbound HTTP requests from agent processes targeting 169.254.169.254, internal RFC1918 ranges, or unusual non-public endpoints; correlate with IAM credential issuance events following agent execution.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35629?
CVE-2026-35629 is an incomplete SSRF remediation in openclaw's channel extensions where multiple handlers still issued raw fetch() calls against configured base URLs, bypassing the guard introduced for the earlier CVE-2026-28476. This is the same package with 67 documented CVEs — a pattern of systemic security debt, not an isolated oversight. Because channel extensions are user- or third-party-configured agent tools, an attacker who can influence extension configuration (including via ClawHub-distributed skills, as documented in AIID #1368) can redirect agent outbound requests to cloud metadata endpoints like AWS IMDS, harvesting IAM credentials without any exploit sophistication. No public exploit or CISA KEV listing exists today, but the trivially low exploitation bar and the sensitive targets reachable (credential endpoints, internal APIs) make this high priority. Upgrade openclaw to 2026.3.28 immediately and enforce egress filtering at the network layer to deny agent host requests to RFC1918 and link-local ranges as defense-in-depth.
Is CVE-2026-35629 actively exploited?
No confirmed active exploitation of CVE-2026-35629 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-35629?
1. Patch: Upgrade openclaw to >= 2026.3.28 immediately. The fix routes all channel extension fetch calls through fetchWithSsrFGuard, blocking rebinding to internal destinations. 2. Network workaround (if patching is delayed): Apply egress ACLs on openclaw agent hosts denying outbound HTTP/HTTPS to RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback addresses. 3. Audit all configured channel extension base URLs for unexpected internal or metadata destinations. 4. Detection: Alert on outbound HTTP requests from agent processes targeting 169.254.169.254, internal RFC1918 ranges, or unusual non-public endpoints; correlate with IAM credential issuance events following agent execution.
What systems are affected by CVE-2026-35629?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin integrations, cloud-hosted AI agents.
What is the CVSS score for CVE-2026-35629?
CVE-2026-35629 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.24%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Several channel extensions still used raw `fetch()` against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit `f92c92515bd439a71bd03eb1bc969c1964f17acf` routes those outbound requests through `fetchWithSsrFGuard` so configured endpoints cannot be rebound to blocked internal destinations. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f92c92515bd439a71bd03eb1bc969c1964f17acf`. ## Fix Commit(s) - `f92c92515bd439a71bd03eb1bc969c1964f17acf`
Exploitation Scenario
An attacker publishes a malicious openclaw channel extension to ClawHub configured with a base URL of http://169.254.169.254/latest/meta-data/iam/security-credentials/. An organization installs the extension as part of a customer support or workflow automation agent. During normal agent operation, the extension's outbound fetch() call — now unguarded — retrieves the AWS IMDS IAM role credentials assigned to the agent host. The extension handler forwards the credential response to an attacker-controlled endpoint embedded in its logic. The attacker uses the harvested temporary AWS credentials to enumerate S3 buckets, exfiltrate training data, or escalate to higher-privileged roles. The victim sees only normal agent traffic patterns.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L References
- github.com/advisories/GHSA-pg2v-8xwh-qhcc
- github.com/advisories/GHSA-rhfg-j8jq-7v2h
- github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf
- github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h
- nvd.nist.gov/vuln/detail/CVE-2026-35629
- vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw