CVE-2026-53812: OpenClaw SSRF bypasses

CISO Take

CVE-2026-53812 is a server-side request forgery in OpenClaw's browser control that lets any authenticated, low-privileged user redirect the agent's Playwright browser to private-network targets—including cloud metadata endpoints and internal APIs—then read the full response body via browser evaluation, effectively turning the AI agent into an internal network probe. The Changed Scope (S:C) in the CVSS vector means blast radius extends beyond OpenClaw itself to whatever internal systems are reachable from the agent's network position, a particularly acute risk in containerized or cloud-deployed agentic workloads where the agent process sits inside the trust boundary. There is no public exploit and the vulnerability is absent from CISA KEV, but low attack complexity and no user interaction required make opportunistic exploitation realistic once the redirect pattern is understood. Organizations running OpenClaw in environments with internal network access should upgrade to 2026.5.18 or later immediately and, as a compensating control, restrict agent process egress to explicitly allowlisted external domains at the network layer.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

CVSS 7.7 High with Changed Scope flags elevated real-world impact beyond the base score. The low-privilege authenticated entry bar widens the attacker pool to all platform users, not just admins. In cloud environments, SSRF frequently enables access to instance metadata services (169.254.169.254, IMDSv1) leading to IAM credential theft and lateral movement—a well-established post-exploitation path. The AI agent context amplifies risk because Playwright evaluation capabilities allow structured data extraction from internal HTTP responses, not just raw reachability probing. 155 CVEs in the same package signals a pattern of security debt in this codebase that warrants broader review beyond this single fix.

How does the attack unfold?

Initial Access

Attacker authenticates to OpenClaw with a low-privilege user account, gaining access to browser control and Playwright act interaction capabilities.

AML.T0012

SSRF Trigger

Attacker crafts a Playwright act interaction targeting an attacker-controlled external page configured to redirect to a private-network target, so the pre-navigation private-network check passes on the legitimate-looking initial URL.

AML.T0049

Internal Navigation

The action-triggered redirect causes OpenClaw's browser to navigate to the private-network target after the security check has already passed, granting the browser session unauthorized access to the internal resource.

AML.T0053

Data Exfiltration

Attacker uses browser evaluation capabilities to read and return the full content of the internal resource, capturing IAM credentials, internal API responses, admin interface data, or other sensitive configuration material.

AML.T0086

Initial Access

Attacker authenticates to OpenClaw with a low-privilege user account, gaining access to browser control and Playwright act interaction capabilities.

AML.T0012

SSRF Trigger

Attacker crafts a Playwright act interaction targeting an attacker-controlled external page configured to redirect to a private-network target, so the pre-navigation private-network check passes on the legitimate-looking initial URL.

AML.T0049

Internal Navigation

The action-triggered redirect causes OpenClaw's browser to navigate to the private-network target after the security check has already passed, granting the browser session unauthorized access to the internal resource.

AML.T0053

Data Exfiltration

Attacker uses browser evaluation capabilities to read and return the full content of the internal resource, capturing IAM credentials, internal API responses, admin interface data, or other sensitive configuration material.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 79% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

1 step

1) Upgrade OpenClaw to version 2026.5.18+ (patch available per GHSA-2hfg-4fh4-qp7f). 2) Apply network-level controls: restrict agent process egress to allowlisted FQDNs; block RFC 1918, link-local (169.254.x.x), and loopback ranges at the firewall or container network policy layer regardless of application-level checks. 3) If immediate patching is not possible, disable browser control features or gate Playwright act interactions behind elevated privilege requirements. 4) Audit agent activity logs for navigation attempts to internal IP ranges and unexpected browser evaluation calls against non-public URLs. 5) In cloud deployments, enforce IMDSv2 token-required mode to limit metadata service exposure even if SSRF succeeds.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0085.001 - AI Agent Tools AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 9 - Risk management system

ISO 42001

A.6.2.3 - Assessment of impacts by the AI system

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over the AI system lifecycle

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

How many AI incidents are linked? (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Malicious actors medium confidence

Both involve OpenClaw's extensibility mechanisms enabling unauthorized data exfiltration—AIID #1368 via malicious skills delivering credential stealers through ClawHub, this CVE via SSRF browser evaluation reading internal network content. Same product, same impact class of credential and sensitive data exfiltration, different exploitation vector.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-53812?

CVE-2026-53812 is a server-side request forgery in OpenClaw's browser control that lets any authenticated, low-privileged user redirect the agent's Playwright browser to private-network targets—including cloud metadata endpoints and internal APIs—then read the full response body via browser evaluation, effectively turning the AI agent into an internal network probe. The Changed Scope (S:C) in the CVSS vector means blast radius extends beyond OpenClaw itself to whatever internal systems are reachable from the agent's network position, a particularly acute risk in containerized or cloud-deployed agentic workloads where the agent process sits inside the trust boundary. There is no public exploit and the vulnerability is absent from CISA KEV, but low attack complexity and no user interaction required make opportunistic exploitation realistic once the redirect pattern is understood. Organizations running OpenClaw in environments with internal network access should upgrade to 2026.5.18 or later immediately and, as a compensating control, restrict agent process egress to explicitly allowlisted external domains at the network layer.

Is CVE-2026-53812 actively exploited?

No confirmed active exploitation of CVE-2026-53812 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53812?

1) Upgrade OpenClaw to version 2026.5.18+ (patch available per GHSA-2hfg-4fh4-qp7f). 2) Apply network-level controls: restrict agent process egress to allowlisted FQDNs; block RFC 1918, link-local (169.254.x.x), and loopback ranges at the firewall or container network policy layer regardless of application-level checks. 3) If immediate patching is not possible, disable browser control features or gate Playwright act interactions behind elevated privilege requirements. 4) Audit agent activity logs for navigation attempts to internal IP ranges and unexpected browser evaluation calls against non-public URLs. 5) In cloud deployments, enforce IMDSv2 token-required mode to limit metadata service exposure even if SSRF succeeds.

What systems are affected by CVE-2026-53812?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-powered browser automation, agentic systems with web browsing, multi-agent orchestration pipelines, cloud-deployed AI workloads.

What is the CVSS score for CVE-2026-53812?

CVE-2026-53812 has a CVSS v3.1 base score of 7.7 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-powered browser automationagentic systems with web browsingmulti-agent orchestration pipelinescloud-deployed AI workloads

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0085.001 AI Agent Tools

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9, Article 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.

Exploitation Scenario

An attacker with a standard user account on an OpenClaw deployment crafts a Playwright 'act' command targeting an attacker-controlled external page that issues a 301 redirect to an internal target such as http://169.254.169.254/latest/meta-data/ (AWS IMDS) or http://10.0.0.1/admin. The redirect fires after the initial navigation check passes for the external domain, bypassing the private-network guard. The attacker then calls browser evaluation (e.g., page.evaluate returning document.body.innerText or a fetch-based extraction) to read the full response body of the internal endpoint, capturing IAM credentials, internal service tokens, or admin interface content. In a multi-agent orchestration setup, exfiltrated credentials can be replayed to pivot laterally into other internal services the agent host can reach.