GHSA-j4c5-89f5-f3pm: OpenClaw SSRF policy bypass

Q: Is GHSA-j4c5-89f5-f3pm actively exploited?

No confirmed active exploitation of GHSA-j4c5-89f5-f3pm has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-j4c5-89f5-f3pm?

1. Upgrade openclaw (npm) to version 2026.4.20 (patched). 2. Audit all existing stored browser profiles for CDP URLs pointing at RFC-1918 ranges, link-local addresses (169.254.0.0/16), or known metadata endpoints. 3. Restrict browser profile creation to trusted operators in multi-tenant or user-facing deployments. 4. Add network-layer egress controls blocking outbound CDP connectivity to internal address ranges from the openclaw process. 5. Review application logs for unexpected CDP reachability check traffic to internal endpoints as an indicator of prior exploitation.

Q: What systems are affected by GHSA-j4c5-89f5-f3pm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation agents, multi-tenant AI agent platforms.

Q: What is the CVSS score for GHSA-j4c5-89f5-f3pm?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's browser profile creation accepted arbitrary CDP URLs without validating them against the configured SSRF policy, meaning a stored profile could later probe internal network or cloud metadata endpoints during routine status checks. This only affects deployments where operators explicitly enabled strict-mode SSRF restrictions — default configurations allow private-network CDP endpoints and are not impacted. With only 4 downstream dependents, no public exploit, and no CISA KEV entry, active exploitation in the wild is unlikely; however, cloud-hosted deployments with access to instance metadata services (AWS IMDS, GCP metadata) face elevated credential exposure risk if profile creation is accessible to untrusted users. Strict-mode deployments should upgrade to openclaw 2026.4.20 immediately; no workaround exists short of blocking untrusted profile creation or restricting outbound connectivity from the CDP reachability flow at the network layer.

Sources: GitHub Advisory ATLAS

What is the risk?

Low overall risk with a narrow but meaningful blast radius in cloud-hosted strict-mode deployments. Exploitability requires an attacker to have access to the browser profile creation endpoint and knowledge that strict-mode SSRF is configured — a non-trivial prerequisite. No EPSS score, no public exploit, and no active exploitation evidence reduce urgency. Notably, this package carries 135 historical CVEs, signaling systemic security debt. Cloud deployments where the OpenClaw process has IMDS access warrant higher priority patching given the credential exfiltration potential.

How does the attack unfold?

Profile Creation Abuse

Attacker submits a browser profile with a CDP URL targeting an internal address or cloud metadata endpoint (e.g., 169.254.169.254), which is accepted and persisted without SSRF policy validation.

AML.T0049

Persistent SSRF Anchor

The malicious profile is stored in the system, creating a durable SSRF probe point that triggers on every subsequent profile status or reachability check without further attacker interaction.

AML.T0053

Internal Network Probing

Routine profile reachability checks issue outbound HTTP requests to the attacker-supplied internal endpoint, enabling discovery of internal services or retrieval of cloud instance metadata.

AML.T0006

Credential Exfiltration

Cloud metadata responses containing IAM credentials or session tokens are surfaced through CDP connectivity results, enabling privilege escalation and lateral movement beyond the AI agent boundary.

AML.T0083

Profile Creation Abuse

Attacker submits a browser profile with a CDP URL targeting an internal address or cloud metadata endpoint (e.g., 169.254.169.254), which is accepted and persisted without SSRF policy validation.

AML.T0049

Persistent SSRF Anchor

The malicious profile is stored in the system, creating a durable SSRF probe point that triggers on every subsequent profile status or reachability check without further attacker interaction.

AML.T0053

Internal Network Probing

Routine profile reachability checks issue outbound HTTP requests to the attacker-supplied internal endpoint, enabling discovery of internal services or retrieval of cloud instance metadata.

AML.T0006

Credential Exfiltration

Cloud metadata responses containing IAM credentials or session tokens are surfaced through CDP connectivity results, enabling privilege escalation and lateral movement beyond the AI agent boundary.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw (npm) to version 2026.4.20 (patched).
Audit all existing stored browser profiles for CDP URLs pointing at RFC-1918 ranges, link-local addresses (169.254.0.0/16), or known metadata endpoints.
Restrict browser profile creation to trusted operators in multi-tenant or user-facing deployments.
Add network-layer egress controls blocking outbound CDP connectivity to internal address ranges from the openclaw process.
Review application logs for unexpected CDP reachability check traffic to internal endpoints as an indicator of prior exploitation.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.2 - AI system input controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to maintain AI system security

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-j4c5-89f5-f3pm?

OpenClaw's browser profile creation accepted arbitrary CDP URLs without validating them against the configured SSRF policy, meaning a stored profile could later probe internal network or cloud metadata endpoints during routine status checks. This only affects deployments where operators explicitly enabled strict-mode SSRF restrictions — default configurations allow private-network CDP endpoints and are not impacted. With only 4 downstream dependents, no public exploit, and no CISA KEV entry, active exploitation in the wild is unlikely; however, cloud-hosted deployments with access to instance metadata services (AWS IMDS, GCP metadata) face elevated credential exposure risk if profile creation is accessible to untrusted users. Strict-mode deployments should upgrade to openclaw 2026.4.20 immediately; no workaround exists short of blocking untrusted profile creation or restricting outbound connectivity from the CDP reachability flow at the network layer.

Is GHSA-j4c5-89f5-f3pm actively exploited?

No confirmed active exploitation of GHSA-j4c5-89f5-f3pm has been reported, but organizations should still patch proactively.

How to fix GHSA-j4c5-89f5-f3pm?

1. Upgrade openclaw (npm) to version 2026.4.20 (patched). 2. Audit all existing stored browser profiles for CDP URLs pointing at RFC-1918 ranges, link-local addresses (169.254.0.0/16), or known metadata endpoints. 3. Restrict browser profile creation to trusted operators in multi-tenant or user-facing deployments. 4. Add network-layer egress controls blocking outbound CDP connectivity to internal address ranges from the openclaw process. 5. Review application logs for unexpected CDP reachability check traffic to internal endpoints as an indicator of prior exploitation.

What systems are affected by GHSA-j4c5-89f5-f3pm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation agents, multi-tenant AI agent platforms.

What is the CVSS score for GHSA-j4c5-89f5-f3pm?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbrowser automation agentsmulti-tenant AI agent platforms

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.8.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An attacker with access to the browser profile creation API — whether a compromised operator, a malicious user in a multi-tenant deployment, or an LLM prompt injection that coerces the agent to create a profile — submits a CDP URL set to the cloud instance metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/). Since the SSRF policy is not enforced at creation time, the profile is persisted. When OpenClaw performs routine profile status and reachability checks, it issues an HTTP request to the metadata endpoint. The response containing IAM credentials or session tokens may surface in error logs, response caching, or a secondary read operation, enabling privilege escalation outside the AI agent environment.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.