AI Threat Alert

GHSA-c4qm-58hj-j6pj: openclaw: SSRF bypass exposes internal pages in browser tool

GHSA-c4qm-58hj-j6pj MEDIUM
Published April 17, 2026
CISO Take

openclaw's browser automation routes — snapshot, screenshot, and tab — failed to re-validate the final navigation target against the configured SSRF policy after route-driven redirects, allowing authenticated callers to render and capture content from internal or otherwise restricted pages. In AI agent deployments where an LLM directs browser navigation based on user-supplied tasks or retrieved web content, authentication alone does not prevent exploitation: a prompt injection embedded in a malicious page could silently redirect the agent to an internal endpoint (e.g., cloud IMDS at 169.254.169.254) and return sensitive data as part of the agent's normal output. With 135 prior CVEs attributed to the same package and active abuse of the openclaw skills ecosystem reported in AIID #1368, the overall security posture of openclaw warrants elevated scrutiny beyond this single advisory. Upgrade to openclaw 2026.4.14 immediately; pending patching, enforce a strict SSRF allowlist at the network layer and restrict browser tool endpoint access to the minimum required callers.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium severity overall, but contextually elevated for AI agent deployments. The authentication prerequisite limits opportunistic exploitation in traditional web contexts, but LLM-driven agents are uniquely exposed: the model itself may act as an unintentional proxy, navigating to adversary-controlled or injected URLs as a normal part of task execution — bypassing the authentication barrier entirely. Cloud-hosted agents face amplified risk given accessible IMDS endpoints. The vulnerability sits inside browser automation capability designed for broad web access, making the potential target surface for SSRF wide.

How does the attack unfold?

Initial Access
Adversary obtains authenticated access to an openclaw-powered agent or browser tool endpoint, either directly or by injecting malicious instructions into content the LLM will retrieve.
AML.T0012
Malicious Navigation
Adversary triggers route-driven browser navigation to an internal or SSRF-restricted URL — such as a cloud metadata endpoint or internal admin panel — via a crafted task or injected prompt.
AML.T0053
Policy Bypass
Snapshot, screenshot, or tab route returns fully rendered page content without re-validating the final navigation target against the configured SSRF policy.
AML.T0049
Data Exfiltration
Internal page content — including IAM credentials, tokens, configuration data, or sensitive intranet resources — is delivered to the adversary as part of the browser tool response.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.14 2026.4.14
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade openclaw to version 2026.4.14 or later immediately — this is the only complete fix.

  2. Audit all services invoking openclaw browser routes; restrict access to authenticated, authorized callers with a demonstrated need.

  3. Enforce network-level SSRF blocking: deny RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata addresses (169.254.169.254) as defense-in-depth.

  4. Review browser route access logs for anomalous snapshot/screenshot calls targeting internal IPs or localhost.

  5. If patching is not immediately possible, disable snapshot, screenshot, and tab routes or gate them behind additional authorization middleware until the upgrade is applied.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0049 AML.T0051.001 AML.T0053 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.5 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-c4qm-58hj-j6pj?

openclaw's browser automation routes — snapshot, screenshot, and tab — failed to re-validate the final navigation target against the configured SSRF policy after route-driven redirects, allowing authenticated callers to render and capture content from internal or otherwise restricted pages. In AI agent deployments where an LLM directs browser navigation based on user-supplied tasks or retrieved web content, authentication alone does not prevent exploitation: a prompt injection embedded in a malicious page could silently redirect the agent to an internal endpoint (e.g., cloud IMDS at 169.254.169.254) and return sensitive data as part of the agent's normal output. With 135 prior CVEs attributed to the same package and active abuse of the openclaw skills ecosystem reported in AIID #1368, the overall security posture of openclaw warrants elevated scrutiny beyond this single advisory. Upgrade to openclaw 2026.4.14 immediately; pending patching, enforce a strict SSRF allowlist at the network layer and restrict browser tool endpoint access to the minimum required callers.

Is GHSA-c4qm-58hj-j6pj actively exploited?

No confirmed active exploitation of GHSA-c4qm-58hj-j6pj has been reported, but organizations should still patch proactively.

How to fix GHSA-c4qm-58hj-j6pj?

1. Upgrade openclaw to version 2026.4.14 or later immediately — this is the only complete fix. 2. Audit all services invoking openclaw browser routes; restrict access to authenticated, authorized callers with a demonstrated need. 3. Enforce network-level SSRF blocking: deny RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata addresses (169.254.169.254) as defense-in-depth. 4. Review browser route access logs for anomalous snapshot/screenshot calls targeting internal IPs or localhost. 5. If patching is not immediately possible, disable snapshot, screenshot, and tab routes or gate them behind additional authorization middleware until the upgrade is applied.

What systems are affected by GHSA-c4qm-58hj-j6pj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, computer-use agents, browser automation pipelines, multi-agent systems.

What is the CVSS score for GHSA-c4qm-58hj-j6pj?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkscomputer-use agentsbrowser automation pipelinesmulti-agent systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.5
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07:2023

What are the technical details?

Original Advisory

## Summary Browser snapshot and screenshot routes could expose internal page content after navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Authenticated browser tool callers could use snapshot, screenshot, or tab routes that did not consistently validate the final browser target after route-driven navigation. In restrictive browser SSRF configurations this could expose content from internal or otherwise disallowed pages. ## Technical Details The fix re-checks browser snapshot, screenshot, and tab route results against the configured browser SSRF policy before returning page content. Regression coverage was added around snapshot/screenshot and tab-route flows. ## Fix The issue was fixed in #66040. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `b75ad800a59009fc47eaa3471410f69046150e59` - PR: #66040 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary with authenticated access to an openclaw-powered AI agent submits a task that directs the browser to navigate to an internal URL — for example, http://169.254.169.254/latest/meta-data/ or an internal admin panel. Before the fix, the snapshot or screenshot route returns the fully rendered page content without re-checking the final navigation target against the SSRF policy, delivering IAM credentials, internal tokens, or sensitive configuration data to the caller. In an LLM-driven agent, a prompt injection embedded in malicious web content retrieved during a legitimate task could trigger this navigation silently — the exfiltrated content then appears as part of the agent's normal task response with no direct adversary interaction required.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed