GHSA-53vx-pmqw-863c: OpenClaw Browser SSRF exposes

Q: Is GHSA-53vx-pmqw-863c actively exploited?

No confirmed active exploitation of GHSA-53vx-pmqw-863c has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-53vx-pmqw-863c?

1. Upgrade openclaw to version 2026.4.14 or later — this is the definitive fix. 2. If immediate upgrade is blocked, explicitly configure browser SSRF restrictions to deny private-network access (loopback, RFC1918 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and link-local 169.254.0.0/16). 3. Audit agent logs for unexpected outbound browser requests to private IP ranges, particularly metadata endpoint patterns (169.254.169.254, metadata.google.internal). 4. In cloud environments, enforce IMDSv2 (AWS) or equivalent metadata access controls as a defense-in-depth measure against SSRF-based credential theft. 5. Apply network egress filtering on agent workloads to block direct access to internal network segments at the infrastructure layer.

Q: What systems are affected by GHSA-53vx-pmqw-863c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation pipelines, AI research agents, multi-agent orchestration.

Q: What is the CVSS score for GHSA-53vx-pmqw-863c?

No CVSS score has been assigned yet.

CISO Take

openclaw, an AI agent browser automation package, shipped with a default SSRF policy that permitted browser-driven navigation to private-network addresses — meaning any deployment using default settings could inadvertently expose cloud metadata endpoints (AWS IMDS, GCP metadata), internal APIs, and private services to attacker-controlled input without any explicit misconfiguration on the operator's part. This insecure-by-default flaw (CWE-1188) is particularly dangerous in AI agent contexts where browser tools are routinely passed LLM-generated or user-supplied URLs, creating a natural injection path for SSRF payloads. With 135 CVEs recorded against the same package and a live AIID incident (#1368) documenting active abuse of openclaw's skills ecosystem to exfiltrate credentials via malicious third-party skills, this package is under active adversarial attention and the attack surface is credibly being probed. Upgrade to openclaw 2026.4.14 or later immediately; in the interim, explicitly configure SSRF restrictions to deny private-network access and audit agent egress logs for unexpected requests to RFC1918 or link-local ranges.

Sources: GitHub Advisory ATLAS AIID

What is the risk?

Medium severity by CVSS, but elevated contextual risk for AI agent deployments. The insecure-default nature (CWE-1188) means organizations that did not explicitly harden their openclaw browser configuration were exposed without any active misconfiguration on their part — a silent vulnerability class that is easy to miss in security reviews. Cloud-hosted AI agents are at highest risk given metadata endpoint exposure (AWS IMDS, GCP metadata server). The combination of browser tool access, LLM-generated navigation targets, and the active malicious skills ecosystem documented in AIID #1368 creates a compounding threat profile that exceeds the standalone medium rating.

How does the attack unfold?

Initial Targeting

Adversary identifies a cloud-hosted AI agent using an unpatched openclaw version by probing public signals, error messages, or skill ecosystem listings.

AML.T0006

SSRF Trigger

Adversary delivers a malicious URL — via direct user input, indirect prompt injection in scraped web content, or a poisoned openclaw skill — causing the browser to navigate to a private-network address such as the cloud instance metadata endpoint.

AML.T0049

Internal Service Access

The browser, operating under the insecure default SSRF policy, successfully connects to the private-network target and retrieves sensitive data such as IAM credentials, internal API tokens, or configuration from metadata endpoints.

AML.T0075

Credential Harvest and Escalation

Harvested credentials or internal service data surface in the agent's response context or logs, enabling the adversary to authenticate to cloud services and escalate access to production infrastructure.

AML.T0083

Initial Targeting

Adversary identifies a cloud-hosted AI agent using an unpatched openclaw version by probing public signals, error messages, or skill ecosystem listings.

AML.T0006

SSRF Trigger

Adversary delivers a malicious URL — via direct user input, indirect prompt injection in scraped web content, or a poisoned openclaw skill — causing the browser to navigate to a private-network address such as the cloud instance metadata endpoint.

AML.T0049

Internal Service Access

The browser, operating under the insecure default SSRF policy, successfully connects to the private-network target and retrieves sensitive data such as IAM credentials, internal API tokens, or configuration from metadata endpoints.

AML.T0075

Credential Harvest and Escalation

Harvested credentials or internal service data surface in the agent's response context or logs, enabling the adversary to authenticate to cloud services and escalate access to production infrastructure.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.14	`2026.4.14`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to version 2026.4.14 or later — this is the definitive fix.
If immediate upgrade is blocked, explicitly configure browser SSRF restrictions to deny private-network access (loopback, RFC1918 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and link-local 169.254.0.0/16).
Audit agent logs for unexpected outbound browser requests to private IP ranges, particularly metadata endpoint patterns (169.254.169.254, metadata.google.internal).
In cloud environments, enforce IMDSv2 (AWS) or equivalent metadata access controls as a defense-in-depth measure against SSRF-based credential theft.
Apply network egress filtering on agent workloads to block direct access to internal network segments at the infrastructure layer.

How is it classified?

Auth Bypass Data Extraction Supply Chain Agent Plugin Framework AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to address AI risks exceeding defined thresholds

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-53vx-pmqw-863c?

openclaw, an AI agent browser automation package, shipped with a default SSRF policy that permitted browser-driven navigation to private-network addresses — meaning any deployment using default settings could inadvertently expose cloud metadata endpoints (AWS IMDS, GCP metadata), internal APIs, and private services to attacker-controlled input without any explicit misconfiguration on the operator's part. This insecure-by-default flaw (CWE-1188) is particularly dangerous in AI agent contexts where browser tools are routinely passed LLM-generated or user-supplied URLs, creating a natural injection path for SSRF payloads. With 135 CVEs recorded against the same package and a live AIID incident (#1368) documenting active abuse of openclaw's skills ecosystem to exfiltrate credentials via malicious third-party skills, this package is under active adversarial attention and the attack surface is credibly being probed. Upgrade to openclaw 2026.4.14 or later immediately; in the interim, explicitly configure SSRF restrictions to deny private-network access and audit agent egress logs for unexpected requests to RFC1918 or link-local ranges.

Is GHSA-53vx-pmqw-863c actively exploited?

No confirmed active exploitation of GHSA-53vx-pmqw-863c has been reported, but organizations should still patch proactively.

How to fix GHSA-53vx-pmqw-863c?

1. Upgrade openclaw to version 2026.4.14 or later — this is the definitive fix. 2. If immediate upgrade is blocked, explicitly configure browser SSRF restrictions to deny private-network access (loopback, RFC1918 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and link-local 169.254.0.0/16). 3. Audit agent logs for unexpected outbound browser requests to private IP ranges, particularly metadata endpoint patterns (169.254.169.254, metadata.google.internal). 4. In cloud environments, enforce IMDSv2 (AWS) or equivalent metadata access controls as a defense-in-depth measure against SSRF-based credential theft. 5. Apply network egress filtering on agent workloads to block direct access to internal network segments at the infrastructure layer.

What systems are affected by GHSA-53vx-pmqw-863c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation pipelines, AI research agents, multi-agent orchestration.

What is the CVSS score for GHSA-53vx-pmqw-863c?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbrowser automation pipelinesAI research agentsmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0075 Cloud Service Discovery

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary Browser SSRF policy default allowed private-network navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. ## Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. ## Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `024f4614a1a1831406e763adc40ef226e3d5e9ed` - `1dabfef28db523e7de81edeb3dd689e9171236a2` - `213c36cf51121ef6c05cfccd78037371f968f31a` - `7eecfa411df3d12e6b810e6ca5df47254fc3db3f` - PR: #66354, #66386 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary targeting a cloud-hosted AI research agent built on openclaw crafts a web page containing a hidden redirect or iframe pointing to the AWS instance metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/). When the agent browses to this adversary-controlled page — triggered either through LLM-directed navigation or via indirect prompt injection embedded in scraped content — the browser follows the redirect to the metadata endpoint without SSRF restrictions blocking it. The IAM credentials returned in the response are surfaced in the agent's context window, where they may be logged, summarized in agent output, or leaked through subsequent LLM responses visible to the attacker. The harvested credentials are then used to escalate access to cloud resources, exfiltrate data, or pivot to other internal services.

Weaknesses (CWE)

CWE-1188 Initialization of a Resource with an Insecure Default Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-1188 — Initialization of a Resource with an Insecure Default: The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Source: MITRE CWE corpus.