Browser SSRF policy default allowed private-network navigation.
openclaw< 2026.4.14>= 2026.4.14Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests.
The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default.
The issue was fixed in #66354 and #66386. The first stable tag containing the fix is v2026.4.14, and [email protected] includes the fix.
024f4614a1a1831406e763adc40ef226e3d5e9ed1dabfef28db523e7de81edeb3dd689e9171236a2213c36cf51121ef6c05cfccd78037371f968f31a7eecfa411df3d12e6b810e6ca5df47254fc3db3fUsers should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
| Score | Percentile |
|---|---|
| 0.03% | 8.84% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.7 | 3.1 | — |
|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-53vx-pmqw-863c ↗ |
| CVE | CVE-2026-43527 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.4.14 | 2026.4.14 | — |