AI Threat Alert

GHSA-9q7v-8mr7-g23p: OpenClaw: SSRF in marketplace fetch hits internal AI infra

GHSA-9q7v-8mr7-g23p MEDIUM
Published April 2, 2026
CISO Take

OpenClaw's unguarded fetch() in its marketplace plugin downloader allows any user who can trigger a plugin install to pivot into internal networks — including Ollama model servers, cloud metadata endpoints, and internal AI services. Patch to 2026.3.31 immediately; if you can't, disable marketplace plugin installs at the application or network layer. This is medium severity but trivially exploitable in environments where AI tooling sits on a flat internal network.

What is the risk?

Medium severity with meaningful blast radius in typical AI/ML deployments. SSRF via fetch() is trivial to weaponize — no AI expertise required, just a crafted URL. The real risk is architectural: AI platforms like OpenClaw commonly run with broad internal network access to model servers, data pipelines, and cloud APIs. The Ollama discovery vector is partially mitigated (operator-configured trust model), but the marketplace archive-fetch vector is unambiguous and unmitigated pre-patch. Cloud-hosted deployments are at highest risk due to IMDS exposure (AWS 169.254.169.254, GCP metadata.google.internal).

What systems are affected?

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.3.28 2026.3.31
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Patch immediately

    Upgrade to openclaw >= 2026.3.31 (npm: npm install openclaw@latest).

  2. Workaround if patching is blocked

    Disable marketplace plugin downloads at the application level or block outbound HTTP from the OpenClaw server via firewall/egress rules.

  3. Network-level defense

    Enforce egress allowlisting — AI application servers should only reach known external endpoints, not arbitrary URLs. Block access to 169.254.169.254, 100.100.100.200 (Alibaba IMDS), and internal RFC1918 ranges from the OpenClaw process.

  4. Detection

    Alert on HTTP requests from your AI application servers to cloud metadata IPs or internal subnet ranges. Review application logs for marketplace download events with internal/private IP destinations.

  5. Audit

    Check currently installed plugins for unexpected origins — malicious plugins may have been fetched before patching.

Classification

Supply Chain Data Extraction Auth Bypass Plugin Inference Agent AML.T0010.001 AML.T0037 AML.T0049 AML.T0053

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.3 - AI System Security
NIST AI RMF
GOVERN-6.2 - Policies and procedures are in place for AI risk management
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-9q7v-8mr7-g23p?

OpenClaw's unguarded fetch() in its marketplace plugin downloader allows any user who can trigger a plugin install to pivot into internal networks — including Ollama model servers, cloud metadata endpoints, and internal AI services. Patch to 2026.3.31 immediately; if you can't, disable marketplace plugin installs at the application or network layer. This is medium severity but trivially exploitable in environments where AI tooling sits on a flat internal network.

Is GHSA-9q7v-8mr7-g23p actively exploited?

No confirmed active exploitation of GHSA-9q7v-8mr7-g23p has been reported, but organizations should still patch proactively.

How to fix GHSA-9q7v-8mr7-g23p?

1. **Patch immediately**: Upgrade to openclaw >= 2026.3.31 (npm: `npm install openclaw@latest`). 2. **Workaround if patching is blocked**: Disable marketplace plugin downloads at the application level or block outbound HTTP from the OpenClaw server via firewall/egress rules. 3. **Network-level defense**: Enforce egress allowlisting — AI application servers should only reach known external endpoints, not arbitrary URLs. Block access to 169.254.169.254, 100.100.100.200 (Alibaba IMDS), and internal RFC1918 ranges from the OpenClaw process. 4. **Detection**: Alert on HTTP requests from your AI application servers to cloud metadata IPs or internal subnet ranges. Review application logs for marketplace download events with internal/private IP destinations. 5. **Audit**: Check currently installed plugins for unexpected origins — malicious plugins may have been fetched before patching.

What systems are affected by GHSA-9q7v-8mr7-g23p?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Plugin/extension systems, Model serving (Ollama), LLM inference platforms, Self-hosted LLM deployments.

What is the CVSS score for GHSA-9q7v-8mr7-g23p?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Keep the shipped marketplace archive-fetch SSRF, but narrow out the Ollama half because it is operator-configured and overlaps weaker trust-model or duplicate SSRF ground. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8deb9522f3d2680820588b190adb4a2a52f3670b` — 2026-03-30T20:08:38+01:00 OpenClaw thanks @tdjackey for reporting.

Exploitation Scenario

An attacker with access to OpenClaw's marketplace plugin install feature (authenticated user or via an exposed API endpoint) crafts a plugin package URL pointing to an internal resource: `http://169.254.169.254/latest/meta-data/iam/security-credentials/` on AWS, or `http://10.0.0.5:11434/api/tags` to enumerate available Ollama models on an internal server. OpenClaw's marketplace download handler calls `fetch()` without validating the destination, executes the request from the server's network context, and returns the response body — potentially leaking IAM credentials, internal service details, or model inventories. In an agentic deployment where OpenClaw manages tool orchestration, compromised IAM credentials from the metadata service can be used to pivot into cloud storage (S3/GCS) containing training data or proprietary model weights.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

References

Timeline

Published
April 2, 2026
Last Modified
April 2, 2026
First Seen
April 3, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
Back to Threat Feed