GHSA-527m-976r-jf79: OpenClaw SSRF bypass

CISO Take

A Server-Side Request Forgery (SSRF) policy bypass in openclaw's browser automation component allows navigation to internal or restricted network targets during existing browser sessions without triggering the same guards applied to newly-initiated routes. For AI agent deployments this is particularly dangerous because browser-capable agents typically run with elevated network access, potentially exposing cloud metadata services (e.g., AWS IMDSv1), internal APIs, or private infrastructure to adversary-controlled navigation. The blast radius is currently contained — only 4 downstream npm dependents — and there is no evidence of active exploitation or CISA KEV listing, but the 135 other CVEs recorded against this package signal a chronically immature security posture that warrants heightened scrutiny. Teams running openclaw should upgrade immediately to version 2026.4.10 or newer (latest stable: 2026.4.14); if immediate patching is blocked, restrict browser agent network egress via firewall rules or proxy allowlists targeting RFC-1918 ranges and cloud metadata endpoints as a compensating control.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium. The vulnerability requires an active existing session context, which limits fully unauthenticated opportunistic exploitation; however, SSRF in AI agent frameworks carries disproportionate impact because agents operate with broad network reach by design. No EPSS score or KEV listing exists, indicating no observed in-the-wild exploitation at time of publication. The 4 downstream npm dependents constrain broad supply chain exposure, but any cloud-hosted or on-premise openclaw deployment with access to internal network segments faces meaningful lateral movement risk if an attacker can influence agent navigation targets.

How does the attack unfold?

Malicious Input Injection

Adversary introduces a malicious URL or navigation target into the AI agent's task context via untrusted user input, retrieved web content, or an indirect prompt injection in a data source.

AML.T0051.001

SSRF Guard Bypass

The existing-session browser interaction route processes the navigation request without applying the SSRF policy check, silently bypassing the guard enforced on new-session routes.

AML.T0049

Internal Resource Access

The agent's browser navigates to internal targets — cloud metadata services, internal APIs, or RFC-1918 hosts — that SSRF policy should have blocked.

AML.T0053

Credential / Data Exfiltration

Responses from internal resources (IAM credentials, tokens, internal service data) surface in the agent's browser output and are captured by the adversary through agent logs or API responses.

AML.T0086

Malicious Input Injection

Adversary introduces a malicious URL or navigation target into the AI agent's task context via untrusted user input, retrieved web content, or an indirect prompt injection in a data source.

AML.T0051.001

SSRF Guard Bypass

The existing-session browser interaction route processes the navigation request without applying the SSRF policy check, silently bypassing the guard enforced on new-session routes.

AML.T0049

Internal Resource Access

The agent's browser navigates to internal targets — cloud metadata services, internal APIs, or RFC-1918 hosts — that SSRF policy should have blocked.

AML.T0053

Credential / Data Exfiltration

Responses from internal resources (IAM credentials, tokens, internal service data) surface in the agent's browser output and are captured by the adversary through agent logs or API responses.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 37% patched ~3d to patch Full package profile →
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

4 steps

Patch: Upgrade openclaw to >= 2026.4.10 immediately (2026.4.14 is the latest stable npm release).
Network: Enforce egress firewall rules on openclaw agent processes blocking access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254, fd00:ec2::254).
Detection: Monitor agent browser navigation logs for requests targeting internal IP ranges, link-local addresses, or cloud metadata paths. Alert on any agent-initiated HTTP request to non-allowlisted private hosts.
Audit: Inventory all openclaw deployments and identify which expose existing-session browser routes to untrusted input channels; prioritize those for emergency patching.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Security of AI system interactions

NIST AI RMF

MEASURE 2.5 - Risks to the AI system from human use

OWASP LLM Top 10

LLM07 - System Prompt Leakage LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-527m-976r-jf79?

A Server-Side Request Forgery (SSRF) policy bypass in openclaw's browser automation component allows navigation to internal or restricted network targets during existing browser sessions without triggering the same guards applied to newly-initiated routes. For AI agent deployments this is particularly dangerous because browser-capable agents typically run with elevated network access, potentially exposing cloud metadata services (e.g., AWS IMDSv1), internal APIs, or private infrastructure to adversary-controlled navigation. The blast radius is currently contained — only 4 downstream npm dependents — and there is no evidence of active exploitation or CISA KEV listing, but the 135 other CVEs recorded against this package signal a chronically immature security posture that warrants heightened scrutiny. Teams running openclaw should upgrade immediately to version 2026.4.10 or newer (latest stable: 2026.4.14); if immediate patching is blocked, restrict browser agent network egress via firewall rules or proxy allowlists targeting RFC-1918 ranges and cloud metadata endpoints as a compensating control.

Is GHSA-527m-976r-jf79 actively exploited?

No confirmed active exploitation of GHSA-527m-976r-jf79 has been reported, but organizations should still patch proactively.

How to fix GHSA-527m-976r-jf79?

1. Patch: Upgrade openclaw to >= 2026.4.10 immediately (2026.4.14 is the latest stable npm release). 2. Network: Enforce egress firewall rules on openclaw agent processes blocking access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254, fd00:ec2::254). 3. Detection: Monitor agent browser navigation logs for requests targeting internal IP ranges, link-local addresses, or cloud metadata paths. Alert on any agent-initiated HTTP request to non-allowlisted private hosts. 4. Audit: Inventory all openclaw deployments and identify which expose existing-session browser routes to untrusted input channels; prioritize those for emergency patching.

What systems are affected by GHSA-527m-976r-jf79?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation pipelines, multi-agent orchestration.

What is the CVSS score for GHSA-527m-976r-jf79?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbrowser automation pipelinesmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

## Summary Existing-session browser interaction routes bypassed SSRF policy enforcement. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes. ## Technical Details The fix guards existing-session navigation and interaction routes with browser navigation policy checks. ## Fix The issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `daeb74920d5ad986cb600625180037e23221e93a` - PR: #64370 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary targeting a cloud-hosted AI agent built on openclaw injects a malicious URL into the agent's task input — either through a compromised upstream data source, a prompt injection in retrieved web content, or a direct user-supplied query. When the agent uses an already-active browser session to navigate or interact with the attacker-supplied target, the SSRF guard is silently skipped. The browser follows the navigation, reaching http://169.254.169.254/latest/meta-data/iam/security-credentials/ on AWS and returning IAM role credentials in the agent's browser context. The adversary extracts those credentials from the agent's output or logs, gaining persistent cloud access without triggering any SSRF policy alert.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.