GHSA-536q-mj95-h29h: OpenClaw SSRF bypass

CISO Take

openclaw, an AI agent browser automation package, contains an SSRF bypass where keyboard press and form-submit type interactions can trigger page navigation without the full post-action SSRF policy enforcement the tool is designed to enforce. For teams running AI agents with autonomous browsing capability, this means a crafted web page or adversary-controlled input could steer the agent to initiate requests to cloud metadata endpoints, internal APIs, or other SSRF-restricted targets using the agent's privileged network position. The same package has accumulated 135 CVEs, and AIID incident #1368 documents active credential theft via malicious openclaw skills in early 2026, signaling a motivated attacker community already targeting this ecosystem. Upgrade to openclaw >= 2026.4.10 immediately — npm package 2026.4.14 is the current stable release — and audit any deployment where the agent has access to sensitive internal network segments.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium exploitability in targeted deployments. SSRF bypasses in AI agent browser tools carry disproportionate impact because agents typically run with broader internal network access than standard web applications. The vulnerability requires influencing what the agent types or presses, which is feasible via prompt injection or crafted web content. The 135 CVEs in the same package and confirmed ecosystem abuse in AIID #1368 elevate practical risk well above what the medium severity rating suggests in isolation.

How does the attack unfold?

Malicious Content Delivery

Adversary prepares a web page or input containing crafted press/type sequences designed to trigger a form submission or navigation event to an adversary-controlled or internal URL.

AML.T0100

Navigation Guard Bypass

The AI agent executes the press/type interaction via openclaw, triggering navigation without the three-phase SSRF policy enforcement that the patched version applies.

AML.T0053

SSRF Request to Internal Target

Bypassed navigation causes the agent to issue an HTTP request to an internal resource — cloud metadata endpoint, intranet API, or internal service — from the agent's privileged network position.

AML.T0049

Internal Data Exfiltration

Agent retrieves sensitive internal data (IAM credentials, API keys, internal service responses) which the adversary collects via agent output, task logs, or an out-of-band callback.

AML.T0086

Malicious Content Delivery

Adversary prepares a web page or input containing crafted press/type sequences designed to trigger a form submission or navigation event to an adversary-controlled or internal URL.

AML.T0100

Navigation Guard Bypass

The AI agent executes the press/type interaction via openclaw, triggering navigation without the three-phase SSRF policy enforcement that the patched version applies.

AML.T0053

SSRF Request to Internal Target

Bypassed navigation causes the agent to issue an HTTP request to an internal resource — cloud metadata endpoint, intranet API, or internal service — from the agent's privileged network position.

AML.T0049

Internal Data Exfiltration

Agent retrieves sensitive internal data (IAM credentials, API keys, internal service responses) which the adversary collects via agent output, task logs, or an out-of-band callback.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.10; openclaw@2026.4.14 (npm) is the current stable release containing all three fix commits.
Until patched, restrict network egress for any host running openclaw agents to block RFC 1918 ranges and cloud metadata endpoints (169.254.169.254, fd00::/8) via iptables or Kubernetes NetworkPolicy.
Apply network-level SSRF protections as defense-in-depth regardless of patch status.
Audit openclaw skill and plugin configurations for third-party content given documented malicious skill ecosystem (AIID #1368).
Review agent task logs for anomalous navigation to internal address ranges.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0100 - AI Agent Clickbait

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.3 - AI System Design

NIST AI RMF

MEASURE 2.5 - AI Risk Measurement

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-536q-mj95-h29h?

openclaw, an AI agent browser automation package, contains an SSRF bypass where keyboard press and form-submit type interactions can trigger page navigation without the full post-action SSRF policy enforcement the tool is designed to enforce. For teams running AI agents with autonomous browsing capability, this means a crafted web page or adversary-controlled input could steer the agent to initiate requests to cloud metadata endpoints, internal APIs, or other SSRF-restricted targets using the agent's privileged network position. The same package has accumulated 135 CVEs, and AIID incident #1368 documents active credential theft via malicious openclaw skills in early 2026, signaling a motivated attacker community already targeting this ecosystem. Upgrade to openclaw >= 2026.4.10 immediately — npm package 2026.4.14 is the current stable release — and audit any deployment where the agent has access to sensitive internal network segments.

Is GHSA-536q-mj95-h29h actively exploited?

No confirmed active exploitation of GHSA-536q-mj95-h29h has been reported, but organizations should still patch proactively.

How to fix GHSA-536q-mj95-h29h?

1. Upgrade openclaw to >= 2026.4.10; openclaw@2026.4.14 (npm) is the current stable release containing all three fix commits. 2. Until patched, restrict network egress for any host running openclaw agents to block RFC 1918 ranges and cloud metadata endpoints (169.254.169.254, fd00::/8) via iptables or Kubernetes NetworkPolicy. 3. Apply network-level SSRF protections as defense-in-depth regardless of patch status. 4. Audit openclaw skill and plugin configurations for third-party content given documented malicious skill ecosystem (AIID #1368). 5. Review agent task logs for anomalous navigation to internal address ranges.

What systems are affected by GHSA-536q-mj95-h29h?

This vulnerability affects the following AI/ML architecture patterns: computer-use AI agents, browser automation pipelines, agent frameworks, agentic task runners.

What is the CVSS score for GHSA-536q-mj95-h29h?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

computer-use AI agentsbrowser automation pipelinesagent frameworksagentic task runners

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0100 AI Agent Clickbait

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.3

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

## Summary Browser press/type interaction routes missed complete navigation guard coverage. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. ## Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. ## Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe` - `5f5b3d733bdd791cb457f838514179e1288b10b3` - `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894` - PR: #62023, #63226, #63889 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary hosts a malicious web page containing a form or input field. An AI agent running a vulnerable openclaw version is directed — via prompt injection or task assignment — to interact with the page using keyboard type or pressKey events. The interaction triggers a form submission or navigation event. Because openclaw's SSRF policy is not applied to these interaction-triggered navigations, the agent follows a redirect to an internal target such as the EC2 metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/). The agent's response, containing IAM credentials or other internal data, is exfiltrated by the adversary via callback or logged agent output.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.