GHSA-f7fh-qg34-x2xh: OpenClaw CDP SSRF enables

Q: Is GHSA-f7fh-qg34-x2xh actively exploited?

No confirmed active exploitation of GHSA-f7fh-qg34-x2xh has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-f7fh-qg34-x2xh?

1. Upgrade openclaw to version 2026.4.5 or later immediately; 2026.4.14 is the current latest stable release containing the fix. 2. Audit CDP WebSocket connection logs for outbound connections to non-localhost or unexpected hosts — the fix normalizes and re-validates WebSocket targets before connecting. 3. In containerized AI agent deployments, enforce network egress policies restricting CDP WebSocket connections to known browser host:port pairs only. 4. If patching is not immediately possible, block outbound access from openclaw processes to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal RFC 1918 address ranges via host firewall. 5. Review and inventory all third-party CDP endpoints configured in openclaw profiles — each represents a potential SSRF entry point. 6. Monitor for unexpected WebSocket handshake attempts to internal hosts in agent process network logs.

Q: What systems are affected by GHSA-f7fh-qg34-x2xh?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Browser automation pipelines, CDP-orchestrated AI agents, Cloud-deployed AI agent infrastructure, Multi-tenant AI agent platforms.

Q: What is the CVSS score for GHSA-f7fh-qg34-x2xh?

No CVSS score has been assigned yet.

CISO Take

The openclaw npm package contains an SSRF-style vulnerability where a browser profile trusts a malicious CDP /json/version response whose webSocketDebuggerUrl points to an arbitrary second-hop host, allowing the agent to establish WebSocket connections to untrusted internal targets without validation. With only 4 known downstream dependents, no CISA KEV entry, and no public exploit available, the immediate blast radius is contained — but the same package carries 135 prior CVEs and a documented real-world incident of credential theft via malicious skills (AIID #1368), signaling systemic security debt that elevates risk beyond what medium severity alone implies. Organizations running AI agents or browser automation workflows on openclaw should upgrade immediately to version 2026.4.5 or later (latest stable: 2026.4.14) and apply egress network controls restricting CDP WebSocket connections to known browser endpoints.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk with elevated contextual concern. The SSRF pivot via CDP WebSocket can expose cloud instance metadata services (AWS/GCP/Azure IMDSv1), internal orchestration APIs, and adjacent microservices from the agent's network position — particularly dangerous in containerized or cloud-deployed AI agent infrastructure. No EPSS data is available and exploitation requires control over a CDP endpoint or browser profile, keeping near-term exploitation likelihood moderate. However, the pattern of 135 CVEs in this package and a real-world credential exfiltration incident in the same ecosystem (AIID #1368) indicate that openclaw represents a high-risk dependency for AI agent pipelines regardless of individual CVE severity.

How does the attack unfold?

CDP Endpoint Compromise

Adversary controls or compromises a CDP server that openclaw connects to, or plants a malicious browser profile configured to use an attacker-controlled CDP endpoint.

AML.T0049

SSRF Pivot via WebSocket URL

The malicious CDP /json/version response returns a webSocketDebuggerUrl pointing to an internal target (e.g., cloud metadata service, internal API), which pre-patch openclaw follows without host re-validation.

AML.T0053

Internal Network Reconnaissance

openclaw establishes a WebSocket connection to the untrusted second-hop target, granting the adversary the ability to probe and interact with internal network resources from the agent's privileged network position.

AML.T0006

Credential and Data Exfiltration

Adversary retrieves cloud IAM credentials, API keys, or sensitive configuration data accessible via the SSRF pivot, enabling further lateral movement within the AI infrastructure.

AML.T0025

CDP Endpoint Compromise

Adversary controls or compromises a CDP server that openclaw connects to, or plants a malicious browser profile configured to use an attacker-controlled CDP endpoint.

AML.T0049

SSRF Pivot via WebSocket URL

The malicious CDP /json/version response returns a webSocketDebuggerUrl pointing to an internal target (e.g., cloud metadata service, internal API), which pre-patch openclaw follows without host re-validation.

AML.T0053

Internal Network Reconnaissance

openclaw establishes a WebSocket connection to the untrusted second-hop target, granting the adversary the ability to probe and interact with internal network resources from the agent's privileged network position.

AML.T0006

Credential and Data Exfiltration

Adversary retrieves cloud IAM credentials, API keys, or sensitive configuration data accessible via the SSRF pivot, enabling further lateral movement within the AI infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.5	`2026.4.5`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to version 2026.4.5 or later immediately; 2026.4.14 is the current latest stable release containing the fix.
Audit CDP WebSocket connection logs for outbound connections to non-localhost or unexpected hosts — the fix normalizes and re-validates WebSocket targets before connecting.
In containerized AI agent deployments, enforce network egress policies restricting CDP WebSocket connections to known browser host:port pairs only.
If patching is not immediately possible, block outbound access from openclaw processes to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal RFC 1918 address ranges via host firewall.
Review and inventory all third-party CDP endpoints configured in openclaw profiles — each represents a potential SSRF entry point.
Monitor for unexpected WebSocket handshake attempts to internal hosts in agent process network logs.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - AI System Security

NIST AI RMF

MANAGE 2.2 - Risk Treatment for AI Systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-f7fh-qg34-x2xh?

The openclaw npm package contains an SSRF-style vulnerability where a browser profile trusts a malicious CDP /json/version response whose webSocketDebuggerUrl points to an arbitrary second-hop host, allowing the agent to establish WebSocket connections to untrusted internal targets without validation. With only 4 known downstream dependents, no CISA KEV entry, and no public exploit available, the immediate blast radius is contained — but the same package carries 135 prior CVEs and a documented real-world incident of credential theft via malicious skills (AIID #1368), signaling systemic security debt that elevates risk beyond what medium severity alone implies. Organizations running AI agents or browser automation workflows on openclaw should upgrade immediately to version 2026.4.5 or later (latest stable: 2026.4.14) and apply egress network controls restricting CDP WebSocket connections to known browser endpoints.

Is GHSA-f7fh-qg34-x2xh actively exploited?

No confirmed active exploitation of GHSA-f7fh-qg34-x2xh has been reported, but organizations should still patch proactively.

How to fix GHSA-f7fh-qg34-x2xh?

1. Upgrade openclaw to version 2026.4.5 or later immediately; 2026.4.14 is the current latest stable release containing the fix. 2. Audit CDP WebSocket connection logs for outbound connections to non-localhost or unexpected hosts — the fix normalizes and re-validates WebSocket targets before connecting. 3. In containerized AI agent deployments, enforce network egress policies restricting CDP WebSocket connections to known browser host:port pairs only. 4. If patching is not immediately possible, block outbound access from openclaw processes to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal RFC 1918 address ranges via host firewall. 5. Review and inventory all third-party CDP endpoints configured in openclaw profiles — each represents a potential SSRF entry point. 6. Monitor for unexpected WebSocket handshake attempts to internal hosts in agent process network logs.

What systems are affected by GHSA-f7fh-qg34-x2xh?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Browser automation pipelines, CDP-orchestrated AI agents, Cloud-deployed AI agent infrastructure, Multi-tenant AI agent platforms.

What is the CVSS score for GHSA-f7fh-qg34-x2xh?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Agent frameworksBrowser automation pipelinesCDP-orchestrated AI agentsCloud-deployed AI agent infrastructureMulti-tenant AI agent platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary CDP /json/version WebSocket URL could pivot to untrusted second-hop targets. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.5` - Patched versions: `>= 2026.4.5` ## Impact A browser profile could trust a CDP `/json/version` response whose `webSocketDebuggerUrl` pointed at a different host, enabling a second-hop SSRF-style pivot. ## Technical Details The fix normalizes and re-validates direct CDP WebSocket targets before connecting. ## Fix The issue was fixed in #60469. The first stable tag containing the fix is `v2026.4.5`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `bc356cc8c2beaa747c71dd86cceab8f804699665` - PR: #60469 ## Release Process Note Users should upgrade to `openclaw` 2026.4.5 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue.

Exploitation Scenario

An adversary controlling a malicious CDP server — reachable via a poisoned browser profile or a compromised shared CDP infrastructure endpoint — responds to openclaw's /json/version request with a crafted payload where webSocketDebuggerUrl is set to an internal target such as http://169.254.169.254/latest/meta-data/ in AWS or an internal model serving API. Pre-patch openclaw accepts the URL without re-validating the target host and opens a WebSocket connection to the second-hop target, routing requests from inside the agent's network boundary. In a cloud-deployed AI agent pipeline, this allows the adversary to retrieve IAM credentials from the metadata service, which can then be used to escalate privileges within the cloud environment, access model weights in S3, or pivot to other AI infrastructure components. The attack requires influencing a CDP /json/version response, achievable by compromising a shared browser profile, deploying a rogue CDP endpoint, or performing a network-level MITM on an unencrypted CDP connection.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.