AI Threat Alert

CVE-2026-6011: OpenClaw: SSRF via web-fetch enables internal network pivot

GHSA-52vj-fvrv-7q82 MEDIUM PoC AVAILABLE CISA: TRACK*
Published April 10, 2026
CISO Take

CVE-2026-6011 is a Server-Side Request Forgery flaw in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) that allows unauthenticated remote attackers to force the AI agent to issue arbitrary HTTP requests to internal or restricted network resources. Although the CVSS score of 5.6 (Medium) reflects high attack complexity, the public availability of exploit code combined with the AI agent context substantially elevates real-world risk — a successful exploit can pivot to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, or services behind network segmentation, yielding temporary IAM credentials or internal service data. This package carries 67 tracked CVEs, indicating a systemic security posture problem that should factor into your supply chain risk assessment. Upgrade to openclaw 2026.1.29 immediately; if patching is delayed, enforce strict infrastructure-level egress controls blocking agent access to RFC-1918 addresses and cloud metadata endpoints.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity by CVSS, but elevated to HIGH in environments where OpenClaw agents operate with unrestricted outbound network access. The AC:H score mitigates casual exploitation, but the public exploit removes the obscurity buffer. SSRF in AI agent tooling is particularly dangerous because agents may execute tool calls autonomously and at scale — a single malicious prompt can trigger repeated internal probing. Cloud-hosted deployments are at the greatest risk due to accessible IMDS endpoints. The 67 prior CVEs in this package suggest insufficient security investment by the maintainer and warrants treating openclaw as a high-risk dependency.

How does the attack unfold?

Initial Access
Attacker identifies a deployment running OpenClaw < 2026.1.29 with the web-fetch tool enabled and gains ability to influence agent inputs via direct user access, prompt injection in ingested documents, or a malicious URL in a RAG pipeline.
AML.T0049
Exploitation
Attacker crafts a URL targeting an internal resource (e.g., cloud IMDS endpoint or internal API) that bypasses the flawed assertPublicHostname validation in web-fetch.ts, causing the agent to issue the request.
AML.T0053
Internal Discovery
The OpenClaw agent successfully fetches the internal resource — cloud IAM temporary credentials, internal service configuration, or private API data — and returns the contents in its response.
AML.T0085.001
Exfiltration
Attacker harvests cloud credentials or sensitive internal data from the agent response, enabling assumption of IAM roles for lateral movement or direct data theft from cloud services.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.1.29 2026.1.29
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
5.6 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 33% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps

  1. Upgrade openclaw to version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505).

  2. If patching is delayed, enforce egress firewall rules blocking agent processes from reaching 169.254.169.254, 100.64.0.0/10, and all RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

  3. Enable IMDSv2 (token-required mode) on all AWS EC2 instances hosting OpenClaw agents.

  4. Audit agent tool invocation logs for URL patterns targeting private address spaces, localhost variants, or cloud metadata paths.

  5. Apply least-privilege network policies to agent runtime containers — deny all egress except explicitly allowlisted external domains.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Agent Plugin AML.T0049 AML.T0053 AML.T0085.001 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
8.4 - AI System Operation
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-6011?

CVE-2026-6011 is a Server-Side Request Forgery flaw in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) that allows unauthenticated remote attackers to force the AI agent to issue arbitrary HTTP requests to internal or restricted network resources. Although the CVSS score of 5.6 (Medium) reflects high attack complexity, the public availability of exploit code combined with the AI agent context substantially elevates real-world risk — a successful exploit can pivot to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), internal APIs, or services behind network segmentation, yielding temporary IAM credentials or internal service data. This package carries 67 tracked CVEs, indicating a systemic security posture problem that should factor into your supply chain risk assessment. Upgrade to openclaw 2026.1.29 immediately; if patching is delayed, enforce strict infrastructure-level egress controls blocking agent access to RFC-1918 addresses and cloud metadata endpoints.

Is CVE-2026-6011 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-6011, increasing the risk of exploitation.

How to fix CVE-2026-6011?

1. Upgrade openclaw to version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505). 2. If patching is delayed, enforce egress firewall rules blocking agent processes from reaching 169.254.169.254, 100.64.0.0/10, and all RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 3. Enable IMDSv2 (token-required mode) on all AWS EC2 instances hosting OpenClaw agents. 4. Audit agent tool invocation logs for URL patterns targeting private address spaces, localhost variants, or cloud metadata paths. 5. Apply least-privilege network policies to agent runtime containers — deny all egress except explicitly allowlisted external domains.

What systems are affected by CVE-2026-6011?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI systems with web browsing capabilities, RAG pipelines with URL fetching, cloud-hosted AI services.

What is the CVSS score for CVE-2026-6011?

CVE-2026-6011 has a CVSS v3.1 base score of 5.6 (MEDIUM). The EPSS exploitation probability is 0.42%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI systems with web browsing capabilitiesRAG pipelines with URL fetchingcloud-hosted AI services

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0085.001 AI Agent Tools
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.

Exploitation Scenario

An adversary with the ability to influence OpenClaw agent inputs — via direct user access, a prompt injection embedded in a document ingested by a RAG pipeline, or indirect injection through retrieved web content — crafts a request containing a URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/. The flawed assertPublicHostname handler fails to reject this address, and the web-fetch tool fetches the resource. The agent returns the cloud IAM temporary credentials (Access Key, Secret Key, Session Token) in its response, which the adversary harvests and uses to assume the instance's IAM role. This is especially realistic in agentic workflows where user-supplied URLs are passed directly to the fetch tool without secondary validation.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
April 10, 2026
Last Modified
April 10, 2026
First Seen
April 11, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed