OpenClaw: SSRF bypass exposes private network access — MEDIUM (CVE-2026-35673)

CISO Take

OpenClaw, an AI agent framework with browser automation capabilities, contains an SSRF policy bypass that allows attackers with low-privileged access to reuse already-open blocked tabs in browser debug and export routes, circumventing private-network protections. In agentic deployments where OpenClaw has access to internal infrastructure or cloud metadata services, this flaw could enable pivoting from the agent's browser context into sensitive internal resources — internal APIs, admin interfaces, or cloud metadata endpoints such as AWS 169.254.169.254. The vulnerability carries a CVSS 6.5 (Medium) with High attack complexity and required User Interaction, is not in CISA KEV, and has no known public exploits, placing immediate exploitation risk in the low-to-moderate range. Organizations running OpenClaw in environments with internal network access should upgrade to version 2026.4.29 or later; as a workaround, restrict access to browser debug and export routes at the network perimeter.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk overall. CVSS 6.5 with Changed scope indicates cross-boundary impact when exploited, but High attack complexity and required User Interaction act as significant mitigating factors. No EPSS data, no public exploits, and absence from CISA KEV further reduce near-term exploitation likelihood. The primary risk amplifier is AI agent deployments with unrestricted internal network access — a common enterprise automation configuration — which elevates effective risk above the base CVSS score in those contexts.

Attack Kill Chain

Initial Access

Attacker with low-privileged credentials accesses OpenClaw's browser debug or export routes exposed on the network.

AML.T0049

Policy Bypass

Attacker identifies a previously blocked tab targeting an internal resource and reuses its context to bypass the private-network SSRF policy.

AML.T0107

Internal Network Access

With SSRF controls bypassed, the attacker accesses internal APIs, cloud metadata endpoints, or private network services through the agent's browser context.

AML.T0053

Data Exfiltration

Internal service responses containing credentials, configuration data, or sensitive content are exported or inspected via the compromised browser export route.

AML.T0086

Initial Access

Attacker with low-privileged credentials accesses OpenClaw's browser debug or export routes exposed on the network.

AML.T0049

Policy Bypass

Attacker identifies a previously blocked tab targeting an internal resource and reuses its context to bypass the private-network SSRF policy.

AML.T0107

Internal Network Access

With SSRF controls bypassed, the attacker accesses internal APIs, cloud metadata endpoints, or private network services through the agent's browser context.

AML.T0053

Data Exfiltration

Internal service responses containing credentials, configuration data, or sensitive content are exported or inspected via the compromised browser export route.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR Low

UI Required

S Changed

C High

I Low

A None

What should I do?

5 steps

Upgrade OpenClaw to version 2026.4.29 or later immediately.
If patching is not immediately possible, restrict network-level access to browser debug and export routes via allowlist-based controls.
Deploy network egress filtering to block AI agent processes from accessing RFC 1918 address ranges and cloud metadata endpoints (169.254.169.254, fd00::/8).
Audit all OpenClaw deployment configurations for instances running with internal network segment access.
Monitor for anomalous outbound requests from OpenClaw processes targeting internal network ranges as an indicator of active exploitation.

Classification

Auth Bypass Data Extraction Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk management

NIST AI RMF

MANAGE-2.2 - Risks associated with AI systems are monitored and managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-35673?

OpenClaw, an AI agent framework with browser automation capabilities, contains an SSRF policy bypass that allows attackers with low-privileged access to reuse already-open blocked tabs in browser debug and export routes, circumventing private-network protections. In agentic deployments where OpenClaw has access to internal infrastructure or cloud metadata services, this flaw could enable pivoting from the agent's browser context into sensitive internal resources — internal APIs, admin interfaces, or cloud metadata endpoints such as AWS 169.254.169.254. The vulnerability carries a CVSS 6.5 (Medium) with High attack complexity and required User Interaction, is not in CISA KEV, and has no known public exploits, placing immediate exploitation risk in the low-to-moderate range. Organizations running OpenClaw in environments with internal network access should upgrade to version 2026.4.29 or later; as a workaround, restrict access to browser debug and export routes at the network perimeter.

Is CVE-2026-35673 actively exploited?

No confirmed active exploitation of CVE-2026-35673 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35673?

1. Upgrade OpenClaw to version 2026.4.29 or later immediately. 2. If patching is not immediately possible, restrict network-level access to browser debug and export routes via allowlist-based controls. 3. Deploy network egress filtering to block AI agent processes from accessing RFC 1918 address ranges and cloud metadata endpoints (169.254.169.254, fd00::/8). 4. Audit all OpenClaw deployment configurations for instances running with internal network segment access. 5. Monitor for anomalous outbound requests from OpenClaw processes targeting internal network ranges as an indicator of active exploitation.

What systems are affected by CVE-2026-35673?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser-based AI agents, web automation pipelines.

What is the CVSS score for CVE-2026-35673?

CVE-2026-35673 has a CVSS v3.1 base score of 6.5 (MEDIUM).

AI Security Impact

Affected AI Architectures

agent frameworksbrowser-based AI agentsweb automation pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.

Exploitation Scenario

An attacker with low-privileged access to an OpenClaw deployment — such as in a shared research automation environment or multi-tenant AI agent platform — navigates to the browser debug or export routes. By targeting a tab that was previously opened and blocked by the SSRF policy (e.g., an AWS metadata endpoint or internal admin API), the attacker reuses that tab's context to export or inspect its content. This allows reading responses from internal services that the SSRF policy was explicitly designed to protect, potentially harvesting IAM credentials, configuration data, or sensitive internal content routed through the compromised AI agent.