GHSA-2hh7-c75g-qj2r: OpenClaw SSRF bypass

Q: Is GHSA-2hh7-c75g-qj2r actively exploited?

No confirmed active exploitation of GHSA-2hh7-c75g-qj2r has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-2hh7-c75g-qj2r?

1. Patch: Upgrade openclaw to 2026.4.22 or later — the fix applies SSRF hostname validation to Zalo sendPhoto and all media-reply paths. 2. Verify: Confirm the deployed npm package contains commit a65eb1b864b7630c1242a82de9e5799b80583c3f. 3. Network controls: Enforce egress filtering on agent hosts to block requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254) as defense-in-depth. 4. Detection: Review agent host HTTP proxy or network flow logs for outbound requests to internal IPs or metadata URLs originating from the openclaw process. 5. Audit: Review all other openclaw plugins for similar SSRF guard coverage gaps given the history of 135 CVEs in this package.

Q: What systems are affected by GHSA-2hh7-c75g-qj2r?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, messaging integrations, multi-channel AI bots.

Q: What is the CVSS score for GHSA-2hh7-c75g-qj2r?

No CVSS score has been assigned yet.

CISO Take

The Zalo plugin in openclaw (an AI agent framework) fails to route outbound photo URLs through the platform's built-in SSRF validation guard before forwarding them to the Zalo Bot API, allowing an attacker who can send Zalo messages to the bot to supply a crafted URL that triggers server-side requests to internal network targets. While the blast radius is narrow — only 4 downstream dependents and no public exploit code — the same package carries 135 total CVEs, signaling chronic security debt in a component with broad network reach. The vulnerability is not in CISA KEV and has no EPSS data, keeping active exploitation likelihood low today. Teams running openclaw with Zalo integrations should upgrade to 2026.4.22 immediately; no workaround exists for the vulnerable code path.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, but elevated for teams deploying openclaw-based agents in environments with sensitive internal services. SSRF in AI agent plugins is a growing attack surface: agents typically run with broad network access and process untrusted external inputs, making SSRF guard bypasses disproportionately dangerous compared to traditional web apps. The narrow plugin scope (Zalo sendPhoto) and low downstream dependency count limit immediate blast radius, but the pattern — an SSRF guard existing but not applied to all outbound paths — suggests similar gaps may exist in other plugins.

How does the attack unfold?

Initial Contact

Attacker sends a Zalo message to an openclaw-powered bot containing a crafted photo URL targeting an internal network resource (e.g., cloud metadata endpoint or internal API).

AML.T0049

SSRF Guard Bypass

The Zalo plugin calls sendPhoto with the attacker-supplied URL without invoking openclaw's shared SSRF hostname policy validator, bypassing the intended security control.

AML.T0053

Internal Network Request

The agent host makes an outbound HTTP request to the attacker-specified internal target, acting as an SSRF proxy from inside the protected network perimeter.

Reconnaissance / Exfiltration

Internal service responses (credentials, metadata, topology) are accessible to the attacker, enabling credential harvesting or further lateral movement planning.

AML.T0085

Initial Contact

Attacker sends a Zalo message to an openclaw-powered bot containing a crafted photo URL targeting an internal network resource (e.g., cloud metadata endpoint or internal API).

AML.T0049

SSRF Guard Bypass

The Zalo plugin calls sendPhoto with the attacker-supplied URL without invoking openclaw's shared SSRF hostname policy validator, bypassing the intended security control.

AML.T0053

Internal Network Request

The agent host makes an outbound HTTP request to the attacker-specified internal target, acting as an SSRF proxy from inside the protected network perimeter.

Reconnaissance / Exfiltration

Internal service responses (credentials, metadata, topology) are accessible to the attacker, enabling credential harvesting or further lateral movement planning.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	<= 2026.4.21	`2026.4.22`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: Upgrade openclaw to 2026.4.22 or later — the fix applies SSRF hostname validation to Zalo sendPhoto and all media-reply paths.
Verify: Confirm the deployed npm package contains commit a65eb1b864b7630c1242a82de9e5799b80583c3f.
Network controls: Enforce egress filtering on agent hosts to block requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254) as defense-in-depth.
Detection: Review agent host HTTP proxy or network flow logs for outbound requests to internal IPs or metadata URLs originating from the openclaw process.
Audit: Review all other openclaw plugins for similar SSRF guard coverage gaps given the history of 135 CVEs in this package.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of AI risk management approach

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-2hh7-c75g-qj2r?

The Zalo plugin in openclaw (an AI agent framework) fails to route outbound photo URLs through the platform's built-in SSRF validation guard before forwarding them to the Zalo Bot API, allowing an attacker who can send Zalo messages to the bot to supply a crafted URL that triggers server-side requests to internal network targets. While the blast radius is narrow — only 4 downstream dependents and no public exploit code — the same package carries 135 total CVEs, signaling chronic security debt in a component with broad network reach. The vulnerability is not in CISA KEV and has no EPSS data, keeping active exploitation likelihood low today. Teams running openclaw with Zalo integrations should upgrade to 2026.4.22 immediately; no workaround exists for the vulnerable code path.

Is GHSA-2hh7-c75g-qj2r actively exploited?

No confirmed active exploitation of GHSA-2hh7-c75g-qj2r has been reported, but organizations should still patch proactively.

How to fix GHSA-2hh7-c75g-qj2r?

1. Patch: Upgrade openclaw to 2026.4.22 or later — the fix applies SSRF hostname validation to Zalo sendPhoto and all media-reply paths. 2. Verify: Confirm the deployed npm package contains commit a65eb1b864b7630c1242a82de9e5799b80583c3f. 3. Network controls: Enforce egress filtering on agent hosts to block requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254) as defense-in-depth. 4. Detection: Review agent host HTTP proxy or network flow logs for outbound requests to internal IPs or metadata URLs originating from the openclaw process. 5. Audit: Review all other openclaw plugins for similar SSRF guard coverage gaps given the history of 135 CVEs in this package.

What systems are affected by GHSA-2hh7-c75g-qj2r?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, messaging integrations, multi-channel AI bots.

What is the CVSS score for GHSA-2hh7-c75g-qj2r?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmessaging integrationsmulti-channel AI bots

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

## Summary Zalo outbound photo URLs are validated through the SSRF guard. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy. ## Fix Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers. ## Fix Commit(s) - a65eb1b864b7630c1242a82de9e5799b80583c3f ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @foodlook for reporting.

Exploitation Scenario

An attacker with a Zalo account sends a photo message to an openclaw-powered Zalo bot, supplying a crafted photo URL pointing to an internal target such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS instance metadata) or an internal Kubernetes API server. The Zalo plugin calls sendPhoto without first passing the URL through openclaw's SSRF hostname policy validator. The agent host makes an outbound HTTP request to the attacker-specified URL, and the response — potentially including cloud credentials or internal service data — is processed by the bot. The attacker can exfiltrate this data via subsequent Zalo API interactions or observe server behavior to enumerate internal network topology.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.