CVE-2026-41302

MEDIUM EPSS 12.9%
Published Apr 21, 20262mo ago · Modified Jun 17, 20261w ago
4.8 CVSS 4.0
Medium
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system.

CVSS Details

Base Score
4.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
12.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.3.31

References 3

  • github.com https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b
    Patch