{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41302/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-41302"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-41302","openclaw"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.31 are susceptible to a server-side request forgery (SSRF) vulnerability (CVE-2026-41302) within the marketplace plugin's download functionality. This flaw enables unauthenticated, remote attackers to craft malicious requests that force the OpenClaw server to make arbitrary HTTP requests to attacker-controlled or internal destinations. The vulnerability stems from insufficient validation of user-supplied input used in fetch() calls, allowing attackers to bypass intended restrictions and abuse the server's trust relationship with other systems. Successful exploitation could lead to sensitive information disclosure, internal network scanning, or denial-of-service against internal resources. This issue poses a significant risk to organizations using affected versions of OpenClaw, particularly those with sensitive data or critical services accessible from the internal network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OpenClaw instance running a vulnerable version (prior to 2026.3.31).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the marketplace plugin download functionality. This request includes a manipulated URL or parameter designed to be used by the \u003ccode\u003efetch()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the OpenClaw server.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server receives the request and processes it through the vulnerable marketplace plugin.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-supplied URL in a \u003ccode\u003efetch()\u003c/code\u003e call without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch()\u003c/code\u003e call initiates an HTTP request from the OpenClaw server to the attacker-specified destination. This could be an internal resource (e.g., metadata server, internal service) or an external server.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server receives the response from the target and, depending on the application logic, may expose parts or all of the response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information from internal resources, scans the internal network, or leverages the server to interact with external services, potentially leading to data exfiltration or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-41302) could allow attackers to access sensitive internal resources, such as configuration files, databases, or internal APIs. Attackers might be able to perform reconnaissance on the internal network, identify other vulnerable systems, or even pivot to other internal hosts. The impact ranges from information disclosure to denial-of-service or potentially remote code execution if internal services are vulnerable. While the specific number of affected OpenClaw instances is unknown, organizations in various sectors using the vulnerable software are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41302.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data used in network requests to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: webserver, product: linux) for unusual outbound connections originating from the OpenClaw server, especially to internal IP addresses or unusual ports.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect OpenClaw SSRF Attempt\u0026quot; to identify potential exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-ssrf/","summary":"OpenClaw before 2026.3.31 is vulnerable to server-side request forgery, enabling remote attackers to make arbitrary network requests and potentially access internal resources or interact with external services.","title":"OpenClaw SSRF Vulnerability (CVE-2026-41302)","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-41302","version":"https://jsonfeed.org/version/1.1"}