GHSA-vjx8-8p7h-82gr: openclaw: SSRF in marketplace plugin download

Published April 7, 2026

CISO Take

openclaw's marketplace plugin installer follows HTTP redirects without SSRF controls, meaning any deployment that installs a crafted plugin archive can be coerced into issuing arbitrary HTTP requests to internal endpoints — including cloud metadata services (AWS IMDSv1, GCP, Azure IMDS), internal dashboards, or private APIs. For AI agent frameworks with broad filesystem and network access, SSRF is a direct stepping stone to credential theft and lateral movement, not just a theoretical network concern. Context amplifies the risk significantly here: openclaw already carries 37 known CVEs, and AIID incident #1368 documents active abuse of its plugin marketplace (ClawHub) to distribute credential-stealing malware via the same plugin distribution channel this SSRF inhabits. Patch to openclaw 2026.3.31 immediately; if upgrades are blocked, disable marketplace plugin installation and enforce egress firewall rules restricting access to RFC-1918 ranges and cloud metadata endpoints from the openclaw process.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Rated medium by CVSS but contextually elevated for cloud-hosted AI agent deployments. The attack surface is the marketplace plugin download flow — a privileged operation in agentic systems that commonly run with elevated credentials and broad network access. With no EPSS data and no CISA KEV entry, automated exploitation at scale is not yet observed, but AIID #1368 confirms the openclaw marketplace is already under active abuse, materially increasing the probability this SSRF vector will be weaponized. The 37-CVE history for this package signals systemic security debt that warrants treating any new vulnerability as higher-risk than its CVSS score suggests.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.28	`2026.3.31`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade to openclaw >= 2026.3.31, which removes the bare redirect-following fetch in src/plugins/marketplace.ts.
If immediate upgrade is blocked, disable marketplace plugin installation or restrict it to an internal, vetted mirror.
Enforce egress firewall rules on openclaw hosts to block access to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and RFC-1918 ranges from the application process.
Audit all marketplace-installed plugins against trusted checksums — given AIID #1368, treat recently installed skills as suspect until verified.
Review host-level and WAF logs for anomalous outbound HTTP requests originating from the openclaw process during plugin install operations as an indicator of prior exploitation.

Classification

Supply Chain Data Extraction Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system risk management

NIST AI RMF

MANAGE-2.2 - Mechanisms for tracking and addressing AI system vulnerabilities

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active abuse of openclaw's skills/plugin marketplace (ClawHub) to distribute credential-stealing malware — the exact same distribution channel this SSRF vulnerability affects. The SSRF could directly enable or amplify the marketplace-based attack vector described in the incident by allowing redirect-based pivots to internal credential sources during plugin installation.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Marketplace Plugin Download Follows Redirects Without SSRF Protection ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still uses bare redirect-following fetch in src/plugins/marketplace.ts for marketplace archives, and fixed-on-main only does not change that shipped SSRF exposure. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2ce44ca6a1302b166a128abbd78f72114f2f4f52` — 2026-03-31T12:59:42+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.

Exploitation Scenario

An attacker publishes a malicious plugin archive to ClawHub or compromises a legitimate package's distribution URL to serve a redirect to an internal target. When an openclaw administrator or an automated CI/CD pipeline installs the plugin, the unprotected fetcher in marketplace.ts follows the redirect without validation, issuing an HTTP GET to the attacker-chosen internal URL — for example, http://169.254.169.254/latest/meta-data/iam/security-credentials/ on AWS. The response is returned into the plugin install context and potentially logged or processed, leaking IAM credentials. The attacker uses those credentials to pivot into the target's cloud environment. This attack chain is a direct extension of the AIID #1368 scenario where the same plugin channel was weaponized to deliver the AMOS credential stealer.