AI Threat Alert

GHSA-2767-2q9v-9326: openclaw: QQBot SSRF leaks internal service responses

GHSA-2767-2q9v-9326 MEDIUM
Published April 17, 2026
CISO Take

The openclaw npm package contains a Server-Side Request Forgery flaw in its QQBot reply media URL handler, where attacker-controlled URLs are fetched without validation and the returned bytes are re-uploaded back through the bot channel — converting a typically blind SSRF into a direct data exfiltration primitive. While rated medium severity with only 4 downstream dependents and no CISA KEV listing, the AI agent context significantly amplifies risk: any HTTP-accessible internal service reachable from the bot host (cloud IMDS endpoints, internal APIs, private configuration stores) is within the attack surface, with no authentication required beyond the ability to send a QQBot message. The same package carries 135 historical CVEs and is linked to AIID #1368, a confirmed real-world abuse incident where malicious openclaw skills exfiltrated credentials, indicating sustained attacker familiarity with this attack surface. Upgrade to openclaw ≥ 2026.4.12 (latest: 2026.4.14) immediately; where patching is delayed, apply egress firewall rules blocking RFC-1918 ranges and metadata IP addresses (169.254.169.254) from the bot host.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium risk with elevated concern in cloud-hosted agentic AI deployments. No public exploit code, no CISA KEV listing, and 4 downstream dependents limit immediate blast radius. However, the re-upload behavior transforms a typically blind SSRF into a confirmed exfiltration channel — a materially higher-impact variant than standard SSRF. Cloud environments with accessible IMDS endpoints face the highest exposure, as a single crafted message could yield temporary AWS/GCP/Azure credentials. The package's history of 135 CVEs and confirmed real-world exploitation (AIID #1368) indicates persistent attacker interest in this attack surface.

How does the attack unfold?

Initial Access
Adversary sends a QQBot reply message containing a crafted media URL targeting an internal service or cloud metadata endpoint (e.g., AWS IMDS).
AML.T0049
SSRF Exploitation
Unpatched openclaw fetches the attacker-controlled URL without SSRF guards, reaching internal HTTP services otherwise inaccessible from the external network.
AML.T0053
Exfiltration
Response bytes from the internal service are re-uploaded by openclaw to the QQBot channel, delivering sensitive data (credentials, config, API responses) directly to the adversary.
AML.T0086
Impact
Adversary reads exfiltrated data from the bot channel and uses obtained credentials or configuration to pivot to broader infrastructure compromise.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.12 2026.4.12
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Upgrade openclaw to ≥ 2026.4.12; the current patched release is openclaw@2026.4.14 on npm.

  2. If immediate patching is not feasible, apply egress firewall rules on the bot host blocking RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local metadata endpoints (169.254.169.254, fd00:ec2::254).

  3. Enforce an explicit allowlist of permitted media domains in bot configuration, rejecting any URL not matching approved CDN patterns.

  4. Route all outbound bot HTTP traffic through an SSRF-aware egress proxy or WAF.

  5. Monitor bot channel logs for anomalously large media re-uploads and alert on internal IP ranges or metadata hostnames appearing in fetched URL fields.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0006 AML.T0049 AML.T0053 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain oversight of AI systems
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-2767-2q9v-9326?

The openclaw npm package contains a Server-Side Request Forgery flaw in its QQBot reply media URL handler, where attacker-controlled URLs are fetched without validation and the returned bytes are re-uploaded back through the bot channel — converting a typically blind SSRF into a direct data exfiltration primitive. While rated medium severity with only 4 downstream dependents and no CISA KEV listing, the AI agent context significantly amplifies risk: any HTTP-accessible internal service reachable from the bot host (cloud IMDS endpoints, internal APIs, private configuration stores) is within the attack surface, with no authentication required beyond the ability to send a QQBot message. The same package carries 135 historical CVEs and is linked to AIID #1368, a confirmed real-world abuse incident where malicious openclaw skills exfiltrated credentials, indicating sustained attacker familiarity with this attack surface. Upgrade to openclaw ≥ 2026.4.12 (latest: 2026.4.14) immediately; where patching is delayed, apply egress firewall rules blocking RFC-1918 ranges and metadata IP addresses (169.254.169.254) from the bot host.

Is GHSA-2767-2q9v-9326 actively exploited?

No confirmed active exploitation of GHSA-2767-2q9v-9326 has been reported, but organizations should still patch proactively.

How to fix GHSA-2767-2q9v-9326?

1. Upgrade openclaw to ≥ 2026.4.12; the current patched release is openclaw@2026.4.14 on npm. 2. If immediate patching is not feasible, apply egress firewall rules on the bot host blocking RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local metadata endpoints (169.254.169.254, fd00:ec2::254). 3. Enforce an explicit allowlist of permitted media domains in bot configuration, rejecting any URL not matching approved CDN patterns. 4. Route all outbound bot HTTP traffic through an SSRF-aware egress proxy or WAF. 5. Monitor bot channel logs for anomalously large media re-uploads and alert on internal IP ranges or metadata hostnames appearing in fetched URL fields.

What systems are affected by GHSA-2767-2q9v-9326?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, bot integrations, cloud-hosted AI agents.

What is the CVSS score for GHSA-2767-2q9v-9326?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbot integrationscloud-hosted AI agents

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025, LLM06:2025

What are the technical details?

Original Advisory

## Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned bytes were then re-uploaded through the channel. ## Technical Details The fix routes QQBot remote media fetches through SSRF-guarded media fetching and explicit URL allowlist policy. ## Fix The issue was fixed in #63495 and #65788. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a` - `ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d` - PR: #63495, #65788 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @threalwinky for reporting this issue.

Exploitation Scenario

An adversary with access to a QQBot channel sends a reply containing a crafted media URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS). The unpatched openclaw instance fetches this URL without SSRF validation, retrieves the AWS temporary credential JSON, and re-uploads the bytes to the QQBot channel. The adversary reads the channel output, obtains valid cloud IAM credentials, and pivots to broader AWS resource access. No prior system access is required — only the ability to send a QQBot message to a channel where an affected openclaw instance is present.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed