AI Threat Alert

GHSA-xq94-r468-qwgj: openclaw: DNS rebinding bypasses browser SSRF protection

GHSA-xq94-r468-qwgj MEDIUM
Published April 17, 2026
CISO Take

A DNS rebinding flaw in openclaw's browser navigation policy lets attackers invalidate SSRF hostname checks after Chromium has already passed validation, creating a pivot path into internal network services from attacker-controlled web content. For security teams running openclaw-based AI agents that autonomously browse the web, this means any agent visiting a malicious site could be redirected to internal APIs, cloud metadata endpoints, or databases accessible from the agent's host — no additional user interaction beyond the agent's normal browsing is required. openclaw carries 135 CVEs on record and 4 downstream dependents, indicating recurring security debt in a package with a broad agentic attack surface; while no public exploit or CISA KEV entry exists, DNS rebinding tooling is widely available and this class of attack against agentic browsers is increasingly documented in the wild. Upgrade to openclaw >= 2026.4.10 (latest stable: 2026.4.14) immediately and network-segment AI agent workloads to limit the internal pivot blast radius.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, elevated for organizations running openclaw agents with access to internal networks. DNS rebinding attacks are well-understood and require only attacker control of DNS plus a short TTL — no authentication bypass or zero-day beyond the unpatched package is needed. The absence of EPSS data and public exploits tempers urgency, but openclaw's 135 prior CVEs and the agentic browser attack surface warrant prompt patching. Environments where agents can reach cloud metadata services (169.254.169.254), internal APIs, or credential stores face the highest impact.

How does the attack unfold?

Domain Setup
Attacker registers a domain with a 1-second TTL initially resolving to a benign public IP, designed to pass openclaw's SSRF hostname validation on first contact.
AML.T0008.002
Drive-by Compromise
An openclaw AI agent browses the attacker's domain during normal operation; SSRF validation passes because the initial DNS resolution returns the expected public IP.
AML.T0078
DNS Rebinding
Attacker rebinds the domain DNS to an internal target IP (cloud metadata service or internal API); Chromium re-resolves the now-expired TTL and connects to the internal resource, bypassing SSRF controls.
AML.T0053
Internal Data Exfiltration
Browser fetches internal service data — cloud credentials, API tokens, internal configurations — and returns responses to the attacker through the now-rebinded browser session.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.10 2026.4.10
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade openclaw to >= 2026.4.10; the npm release openclaw@2026.4.14 is the latest patched version.

  2. Network-segment AI agent workloads: block agent processes from reaching RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254).

  3. Deploy DNS rebinding protections at the resolver layer — configure split-horizon DNS or resolver policies that reject private IP answers for public domain queries.

  4. Monitor browser automation processes for outbound connections to internal IPs; alert on any Chromium-originating traffic to metadata services.

  5. Audit openclaw browser navigation allowlists and apply the principle of least privilege to permitted hostnames.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0053 AML.T0078 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.5 - AI system security in design and development
NIST AI RMF
GOVERN-1.1 - AI Risk Management Policies
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-xq94-r468-qwgj?

A DNS rebinding flaw in openclaw's browser navigation policy lets attackers invalidate SSRF hostname checks after Chromium has already passed validation, creating a pivot path into internal network services from attacker-controlled web content. For security teams running openclaw-based AI agents that autonomously browse the web, this means any agent visiting a malicious site could be redirected to internal APIs, cloud metadata endpoints, or databases accessible from the agent's host — no additional user interaction beyond the agent's normal browsing is required. openclaw carries 135 CVEs on record and 4 downstream dependents, indicating recurring security debt in a package with a broad agentic attack surface; while no public exploit or CISA KEV entry exists, DNS rebinding tooling is widely available and this class of attack against agentic browsers is increasingly documented in the wild. Upgrade to openclaw >= 2026.4.10 (latest stable: 2026.4.14) immediately and network-segment AI agent workloads to limit the internal pivot blast radius.

Is GHSA-xq94-r468-qwgj actively exploited?

No confirmed active exploitation of GHSA-xq94-r468-qwgj has been reported, but organizations should still patch proactively.

How to fix GHSA-xq94-r468-qwgj?

1. Upgrade openclaw to >= 2026.4.10; the npm release openclaw@2026.4.14 is the latest patched version. 2. Network-segment AI agent workloads: block agent processes from reaching RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254). 3. Deploy DNS rebinding protections at the resolver layer — configure split-horizon DNS or resolver policies that reject private IP answers for public domain queries. 4. Monitor browser automation processes for outbound connections to internal IPs; alert on any Chromium-originating traffic to metadata services. 5. Audit openclaw browser navigation allowlists and apply the principle of least privilege to permitted hostnames.

What systems are affected by GHSA-xq94-r468-qwgj?

This vulnerability affects the following AI/ML architecture patterns: AI web agents, browser-based automation, agent frameworks.

What is the CVSS score for GHSA-xq94-r468-qwgj?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI web agentsbrowser-based automationagent frameworks

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation
AML.T0078 Drive-by Compromise
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.5
NIST AI RMF: GOVERN-1.1
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

## Summary Browser SSRF hostname validation could be bypassed by DNS rebinding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Browser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimately used, allowing DNS rebinding style SSRF pivots. ## Technical Details The fix tightens strict browser hostname navigation so unallowlisted hostname URLs fail closed under restrictive policy. ## Fix The issue was fixed in #64367. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `121c452d666d4749744dc2089287d0227aae2ed3` - PR: #64367 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary registers a domain (attacker.com) with a 1-second TTL, initially pointing to a benign public IP. An openclaw-powered AI agent is tasked with autonomous web browsing and visits attacker.com; openclaw's SSRF hostname validation checks the DNS resolution, sees the public IP, and permits navigation. The attacker immediately rebinds the DNS record to an internal target — the cloud instance metadata service (169.254.169.254) or an internal microservice API (10.0.0.5). When Chromium makes follow-up requests to attacker.com for resources on the page, it re-resolves the hostname to the internal IP and connects, bypassing SSRF controls entirely. The attacker harvests cloud credentials, instance identity tokens, or sensitive API responses through Chromium's subsequent fetches — all while openclaw believes it is communicating with the originally validated public hostname.

Weaknesses (CWE)

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-350 — Reliance on Reverse DNS Resolution for a Security-Critical Action: The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

  • [Architecture and Design] Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.
  • [Implementation] Perform proper forward and reverse DNS lookups to detect DNS spoofing.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed