GHSA-rj2p-j66c-mgqh: OpenClaw SSRF policy bypass

Q: Is GHSA-rj2p-j66c-mgqh actively exploited?

No confirmed active exploitation of GHSA-rj2p-j66c-mgqh has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-rj2p-j66c-mgqh?

1) Upgrade openclaw to version 2026.4.10 or later; the current stable release 2026.4.14 includes the fix. 2) If immediate upgrade is blocked, enforce external network-level SSRF controls via firewall egress rules to block RFC 1918 ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) at the infrastructure layer. 3) In AWS environments, enforce IMDSv2 (PUT-only token exchange) as defense-in-depth to neutralize metadata service SSRF impact. 4) Audit agent browser session logs for tab navigation to private IP ranges or cloud metadata addresses. 5) Treat the 135-CVE history of this package as a signal for broader dependency risk review.

Q: What systems are affected by GHSA-rj2p-j66c-mgqh?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation, AI agent pipelines, cloud-hosted AI agents.

Q: What is the CVSS score for GHSA-rj2p-j66c-mgqh?

No CVSS score has been assigned yet.

CISO Take

The openclaw npm package, an AI agent browser automation framework, contains an SSRF policy bypass in its tab select and close action routes, allowing agent-driven browser navigation to reach network targets that the configured SSRF policy was explicitly meant to block. While rated medium severity with no public exploit and absent from the CISA KEV, SSRF vulnerabilities in AI agent browser tools carry outsized risk in cloud environments — a bypassed policy could expose AWS/GCP metadata endpoints, internal APIs, or private microservices to agent-controlled requests, potentially leading to credential theft or lateral movement. Blast radius is partially contained with only 4 downstream npm dependents, but the same package carries 135 prior CVEs, signaling entrenched security debt that warrants scrutiny of the entire dependency. Upgrade to openclaw 2026.4.10 or later immediately and audit recent agent session logs for tab navigation targeting RFC 1918 ranges or cloud metadata addresses.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, elevated for deployments where openclaw agents operate inside cloud environments or corporate intranets where SSRF policy is the primary network boundary control. Exploitation requires the ability to influence browser tab actions — achievable via prompt injection or by serving crafted content to the agent — placing it at moderate sophistication. The absence of active exploitation and KEV listing reduces immediate urgency, but the SSRF bypass class is well-understood and the browser automation context makes internal service access a realistic post-exploitation path.

How does the attack unfold?

Initial Access

Adversary influences the openclaw agent's browser task queue via indirect prompt injection through crafted web content or a poisoned URL, directing the agent to execute tab select or close actions against restricted targets.

AML.T0051.001

Policy Bypass

The tab select or close action branch executes without SSRF policy enforcement, silently bypassing the configured network access controls and allowing navigation to internal or restricted addresses.

AML.T0053

Internal Access

The agent's browser reaches cloud metadata endpoints, internal APIs, or private microservices that the SSRF policy was explicitly configured to block, and their responses are returned to the agent's context.

AML.T0049

Data Exfiltration

Sensitive data — cloud IAM credentials, internal service responses, or configuration secrets — is captured from the agent's context and exfiltrated by the adversary through subsequent tool invocations or prompt extraction.

AML.T0086

Initial Access

Adversary influences the openclaw agent's browser task queue via indirect prompt injection through crafted web content or a poisoned URL, directing the agent to execute tab select or close actions against restricted targets.

AML.T0051.001

Policy Bypass

The tab select or close action branch executes without SSRF policy enforcement, silently bypassing the configured network access controls and allowing navigation to internal or restricted addresses.

AML.T0053

Internal Access

The agent's browser reaches cloud metadata endpoints, internal APIs, or private microservices that the SSRF policy was explicitly configured to block, and their responses are returned to the agent's context.

AML.T0049

Data Exfiltration

Sensitive data — cloud IAM credentials, internal service responses, or configuration secrets — is captured from the agent's context and exfiltrated by the adversary through subsequent tool invocations or prompt extraction.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

1 step

1) Upgrade openclaw to version 2026.4.10 or later; the current stable release 2026.4.14 includes the fix. 2) If immediate upgrade is blocked, enforce external network-level SSRF controls via firewall egress rules to block RFC 1918 ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) at the infrastructure layer. 3) In AWS environments, enforce IMDSv2 (PUT-only token exchange) as defense-in-depth to neutralize metadata service SSRF impact. 4) Audit agent browser session logs for tab navigation to private IP ranges or cloud metadata addresses. 5) Treat the 135-CVE history of this package as a signal for broader dependency risk review.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0085.001 - AI Agent Tools AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system network security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks are in place

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-rj2p-j66c-mgqh?

The openclaw npm package, an AI agent browser automation framework, contains an SSRF policy bypass in its tab select and close action routes, allowing agent-driven browser navigation to reach network targets that the configured SSRF policy was explicitly meant to block. While rated medium severity with no public exploit and absent from the CISA KEV, SSRF vulnerabilities in AI agent browser tools carry outsized risk in cloud environments — a bypassed policy could expose AWS/GCP metadata endpoints, internal APIs, or private microservices to agent-controlled requests, potentially leading to credential theft or lateral movement. Blast radius is partially contained with only 4 downstream npm dependents, but the same package carries 135 prior CVEs, signaling entrenched security debt that warrants scrutiny of the entire dependency. Upgrade to openclaw 2026.4.10 or later immediately and audit recent agent session logs for tab navigation targeting RFC 1918 ranges or cloud metadata addresses.

Is GHSA-rj2p-j66c-mgqh actively exploited?

No confirmed active exploitation of GHSA-rj2p-j66c-mgqh has been reported, but organizations should still patch proactively.

How to fix GHSA-rj2p-j66c-mgqh?

1) Upgrade openclaw to version 2026.4.10 or later; the current stable release 2026.4.14 includes the fix. 2) If immediate upgrade is blocked, enforce external network-level SSRF controls via firewall egress rules to block RFC 1918 ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) at the infrastructure layer. 3) In AWS environments, enforce IMDSv2 (PUT-only token exchange) as defense-in-depth to neutralize metadata service SSRF impact. 4) Audit agent browser session logs for tab navigation to private IP ranges or cloud metadata addresses. 5) Treat the 135-CVE history of this package as a signal for broader dependency risk review.

What systems are affected by GHSA-rj2p-j66c-mgqh?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation, AI agent pipelines, cloud-hosted AI agents.

What is the CVSS score for GHSA-rj2p-j66c-mgqh?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbrowser automationAI agent pipelinescloud-hosted AI agents

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0085.001 AI Agent Tools

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary Browser tabs action select and close routes bypassed SSRF policy. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The browser `/tabs/action` select and close branches could operate on targets without enforcing configured browser SSRF policy, weakening tab-level navigation protections. ## Technical Details The fix enforces browser SSRF policy in the select and close tab-action branches. ## Fix The issue was fixed in #63332. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `48c0347921b7e9438af0312968fc360ca88023f3` - PR: #63332 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue.

Exploitation Scenario

An adversary delivers crafted web content to an openclaw-powered agent — via indirect prompt injection through a malicious URL in the agent's task queue or via a poisoned webpage the agent is directed to visit — embedding instructions to perform a tab select or close action targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/. Because the SSRF policy is not enforced in the tab select and close branches, the agent's browser navigates freely to the cloud metadata endpoint. The response, potentially containing instance role credentials, is returned to the agent's context. From there, the adversary harvests the credentials and uses them to authenticate against AWS APIs, pivoting deeper into the internal environment.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.