MEDIUM 6.5

CVE-2026-35673: OpenClaw SSRF Policy Bypass in Debug and Export Routes

OpenClaw versions before 2026.4.29 contain a Server-Side Request Forgery (SSRF) policy bypass that allows authenticated users to circumvent network security controls. The vulnerability exists in browser debug and export functionality, where attackers can reuse previously-blocked tabs to access or export content that should remain restricted by private-network SSRF policies. This is a policy evasion technique rather than a direct network breach—the attacker must already have authenticated access to these routes, but can then leverage that access to reach otherwise-protected resources.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35673 is an improper authorization vulnerability (CWE-863) affecting OpenClaw's debug and export routes. The flaw allows an authenticated user to bypass SSRF policies by manipulating the browser tab state; specifically, by reusing tabs that were previously blocked or restricted. The vulnerability permits circumvention of private-network access controls, enabling export or inspection of protected content. The CVSS 3.1 score of 6.5 reflects a network-exploitable attack requiring authentication and user interaction, with high confidentiality impact but limited integrity and no availability impact. The attack surface is contingent on route access and the presence of blocked tabs in the browser session.

Business impact

This vulnerability primarily threatens organizations that rely on OpenClaw for secure content inspection or export workflows, particularly in environments handling sensitive internal data. Insider threats or compromised user accounts with access to debug/export routes become significantly more dangerous, as the SSRF bypass allows them to extract or inspect data from private network resources that should remain isolated. For teams using OpenClaw in security-sensitive or compliance-heavy roles, the ability to bypass SSRF policies represents a meaningful data exfiltration risk. However, the requirement for prior authentication and user interaction limits the blast radius compared to unauthenticated or fully automatic exploits.

Affected systems

OpenClaw versions prior to 2026.4.29 are affected. Organizations running OpenClaw should verify their installed version and upgrade to 2026.4.29 or later. The vulnerability affects the browser debug and export functionality specifically, so only deployments actively using these features are exposed to the risk.

Exploitability

Exploitation requires an authenticated user (insider or compromised account) with access to OpenClaw's debug or export routes. The attacker must also interact with the browser interface to reuse blocked tabs, meaning fully passive or remote exploitation is not feasible. The conditional nature of this attack—needing both valid credentials and the presence of previously-blocked tabs—moderates exploitability. However, in operational environments, blocked tabs may persist in user sessions, making this a realistic attack path for an insider with appropriate route permissions.

Remediation

Upgrade to OpenClaw 2026.4.29 or later. Verify the upgrade against the vendor's official release notes or advisory to confirm that SSRF policy enforcement has been patched. Additionally, audit access controls to the debug and export routes, ensuring that only authorized personnel retain these permissions. Consider implementing session management controls to prevent reuse of sensitive browser states.

Patch guidance

Deploy OpenClaw version 2026.4.29 or later across all affected instances. Review your deployment's patching procedures and test the update in a non-production environment first to confirm compatibility with your configuration. If you are running a version between the initial release and 2026.4.29, prioritize upgrading. Consult OpenClaw's official release notes and security advisory for detailed upgrade steps and any breaking changes.

Detection guidance

Monitor access to OpenClaw's debug and export routes, particularly by users with limited typical access patterns. Log and review instances where these routes export or access private-network resources, especially if those resources would normally be blocked by SSRF policies. Inspect browser session logs or debug telemetry for anomalous tab reuse or state manipulation. Network-level monitoring may also reveal unexpected outbound connections from OpenClaw instances to private network ranges that should not be reachable.

Why prioritize this

Although the CVSS score is moderate (6.5), this vulnerability warrants prompt attention because it directly undermines security policy enforcement in a debugging/export context. Organizations that intentionally restrict access to certain network resources—via SSRF policies—rely on those controls for compliance and data protection. A policy bypass erodes that protection and creates an insider-threat amplification vector. Prioritize this vulnerability in environments where OpenClaw handles sensitive data or private network inspection.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) Network accessibility (AV:N) and low attack complexity (AC:H) reflecting the need for authentication and user interaction; (2) Privilege requirement at the user level (PR:L), since the attacker must already have authenticated access to debug/export routes; (3) Requirement for user interaction (UI:R) to reuse tabs; (4) Scope change (S:C) because the SSRF bypass affects resources outside the original trust boundary; (5) High confidentiality impact (C:H) from unauthorized data access, and limited integrity impact (I:L) from potential data export manipulation. Availability is not impacted. The 'MEDIUM' severity reflects a meaningful but conditional threat.

Frequently asked questions

Can this vulnerability be exploited without authentication?

No. The attacker must already be an authenticated user with access to OpenClaw's debug or export routes. This makes it primarily an insider-threat or compromised-credential risk rather than a direct internet-facing vulnerability.

What is the difference between this SSRF bypass and a traditional SSRF?

Traditional SSRF attacks craft arbitrary requests to internal network resources. This vulnerability exploits existing browser tabs that are already blocked by policy, allowing an attacker to reuse that context to export or inspect restricted content. It is a policy enforcement bypass rather than a new attack surface—the internal resource was already reachable by OpenClaw; the vulnerability allows unauthorized users to access it.

Do I need to disable debug or export routes entirely to be safe?

Upgrading to 2026.4.29 or later patches the vulnerability, so disabling is not necessary if you patch promptly. However, if you cannot upgrade immediately, restricting access to these routes to only trusted administrators is a strong interim control.

How does this affect my SSRF policy compliance?

If your security policy states that certain network resources must not be accessible via OpenClaw, this vulnerability allows an authenticated user to circumvent that policy. After patching, policy enforcement is restored. Review your configuration and access logs to ensure no unauthorized exports or inspections occurred during the window of vulnerability.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the published date. Always consult OpenClaw's official security advisories and release notes for authoritative patching and deployment guidance. Security controls, threat models, and organizational risk tolerances vary; adjust remediation prioritization based on your environment and risk profile. No exploit code or proof-of-concept is provided or endorsed. Organizations should validate patch effectiveness and monitor their deployments for signs of compromise or unauthorized policy bypass. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).