CVE-2026-6011 — MEDIUM (CVSS 5.6) AI Security Vulnerability

Q: Is CVE-2026-6011 actively exploited?

No confirmed active exploitation of CVE-2026-6011 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-6011?

1. Upgrade openclaw to version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505). 2. If patching is delayed, enforce egress firewall rules blocking agent processes from reaching 169.254.169.254, 100.64.0.0/10, and all RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 3. Enable IMDSv2 (token-required mode) on all AWS EC2 instances hosting OpenClaw agents. 4. Audit agent tool invocation logs for URL patterns targeting private address spaces, localhost variants, or cloud metadata paths. 5. Apply least-privilege network policies to agent runtime containers — deny all egress except explicitly allowlisted external domains.

Q: What systems are affected by CVE-2026-6011?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI systems with web browsing capabilities, RAG pipelines with URL fetching, cloud-hosted AI services.

Q: What is the CVSS score for CVE-2026-6011?

CVE-2026-6011 has a CVSS v3.1 base score of 5.6 (MEDIUM).

CISO Take

CVE-2026-6011 is a Server-Side Request Forgery flaw in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) that allows unauthenticated remote attackers to force the AI agent to issue arbitrary HTTP requests to internal or restricted network resources. Although the CVSS score of 5.6 (Medium) reflects high attack complexity, the public availability of exploit code combined with the AI agent context substantially elevates real-world risk — a successful exploit can pivot to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, or services behind network segmentation, yielding temporary IAM credentials or internal service data. This package carries 67 tracked CVEs, indicating a systemic security posture problem that should factor into your supply chain risk assessment. Upgrade to openclaw 2026.1.29 immediately; if patching is delayed, enforce strict infrastructure-level egress controls blocking agent access to RFC-1918 addresses and cloud metadata endpoints.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Medium severity by CVSS, but elevated to HIGH in environments where OpenClaw agents operate with unrestricted outbound network access. The AC:H score mitigates casual exploitation, but the public exploit removes the obscurity buffer. SSRF in AI agent tooling is particularly dangerous because agents may execute tool calls autonomously and at scale — a single malicious prompt can trigger repeated internal probing. Cloud-hosted deployments are at the greatest risk due to accessible IMDS endpoints. The 67 prior CVEs in this package suggest insufficient security investment by the maintainer and warrants treating openclaw as a high-risk dependency.

Attack Kill Chain

Initial Access

Attacker identifies a deployment running OpenClaw < 2026.1.29 with the web-fetch tool enabled and gains ability to influence agent inputs via direct user access, prompt injection in ingested documents, or a malicious URL in a RAG pipeline.

AML.T0049

Exploitation

Attacker crafts a URL targeting an internal resource (e.g., cloud IMDS endpoint or internal API) that bypasses the flawed assertPublicHostname validation in web-fetch.ts, causing the agent to issue the request.

AML.T0053

Internal Discovery

The OpenClaw agent successfully fetches the internal resource — cloud IAM temporary credentials, internal service configuration, or private API data — and returns the contents in its response.

AML.T0085.001

Exfiltration

Attacker harvests cloud credentials or sensitive internal data from the agent response, enabling assumption of IAM roles for lateral movement or direct data theft from cloud services.

AML.T0086

Initial Access

Attacker identifies a deployment running OpenClaw < 2026.1.29 with the web-fetch tool enabled and gains ability to influence agent inputs via direct user access, prompt injection in ingested documents, or a malicious URL in a RAG pipeline.

AML.T0049

Exploitation

Attacker crafts a URL targeting an internal resource (e.g., cloud IMDS endpoint or internal API) that bypasses the flawed assertPublicHostname validation in web-fetch.ts, causing the agent to issue the request.

AML.T0053

Internal Discovery

The OpenClaw agent successfully fetches the internal resource — cloud IAM temporary credentials, internal service configuration, or private API data — and returns the contents in its response.

AML.T0085.001

Exfiltration

Attacker harvests cloud credentials or sensitive internal data from the agent response, enabling assumption of IAM roles for lateral movement or direct data theft from cloud services.

AML.T0086

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.1.29	`2026.1.29`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

5.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I Low

A Low

Recommended Action

Upgrade openclaw to version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505).
If patching is delayed, enforce egress firewall rules blocking agent processes from reaching 169.254.169.254, 100.64.0.0/10, and all RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Enable IMDSv2 (token-required mode) on all AWS EC2 instances hosting OpenClaw agents.
Audit agent tool invocation logs for URL patterns targeting private address spaces, localhost variants, or cloud metadata paths.
Apply least-privilege network policies to agent runtime containers — deny all egress except explicitly allowlisted external domains.

Classification

Data Extraction Privacy Violation Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0085.001 - AI Agent Tools AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI System Operation

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious OpenClaw skills in the same package ecosystem as this CVE. The SSRF vulnerability could serve as a technical enabler for analogous credential harvesting, as both exploit OpenClaw agent tool execution to access and exfiltrate sensitive data from the host environment.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-6011?

CVE-2026-6011 is a Server-Side Request Forgery flaw in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) that allows unauthenticated remote attackers to force the AI agent to issue arbitrary HTTP requests to internal or restricted network resources. Although the CVSS score of 5.6 (Medium) reflects high attack complexity, the public availability of exploit code combined with the AI agent context substantially elevates real-world risk — a successful exploit can pivot to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, or services behind network segmentation, yielding temporary IAM credentials or internal service data. This package carries 67 tracked CVEs, indicating a systemic security posture problem that should factor into your supply chain risk assessment. Upgrade to openclaw 2026.1.29 immediately; if patching is delayed, enforce strict infrastructure-level egress controls blocking agent access to RFC-1918 addresses and cloud metadata endpoints.

Is CVE-2026-6011 actively exploited?

No confirmed active exploitation of CVE-2026-6011 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6011?

1. Upgrade openclaw to version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505). 2. If patching is delayed, enforce egress firewall rules blocking agent processes from reaching 169.254.169.254, 100.64.0.0/10, and all RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 3. Enable IMDSv2 (token-required mode) on all AWS EC2 instances hosting OpenClaw agents. 4. Audit agent tool invocation logs for URL patterns targeting private address spaces, localhost variants, or cloud metadata paths. 5. Apply least-privilege network policies to agent runtime containers — deny all egress except explicitly allowlisted external domains.

What systems are affected by CVE-2026-6011?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI systems with web browsing capabilities, RAG pipelines with URL fetching, cloud-hosted AI services.

What is the CVSS score for CVE-2026-6011?

CVE-2026-6011 has a CVSS v3.1 base score of 5.6 (MEDIUM).

Technical Details

NVD Description

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.

Exploitation Scenario

An adversary with the ability to influence OpenClaw agent inputs — via direct user access, a prompt injection embedded in a document ingested by a RAG pipeline, or indirect injection through retrieved web content — crafts a request containing a URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/. The flawed assertPublicHostname handler fails to reject this address, and the web-fetch tool fetches the resource. The agent returns the cloud IAM temporary credentials (Access Key, Secret Key, Session Token) in its response, which the adversary harvests and uses to assume the instance's IAM role. This is especially realistic in agentic workflows where user-supplied URLs are passed directly to the fetch tool without secondary validation.