Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-26322— OpenClaw Gateway tool allowed unrestricted gatewayUrl override

CVSS 7.6 · High EPSS 0.02% · P5
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-26322

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
OpenClaw Gateway tool allowed unrestricted gatewayUrl override
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenClaw 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.2.14之前版本存在代码问题漏洞,该漏洞源于Gateway工具接受工具提供的gatewayUrl时限制不足,可能导致OpenClaw主机尝试向用户指定的目标发起出站WebSocket连接,可用于有限的网络可达性探测。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
openclawopenclaw < 2026.2.14 -

II. Public POCs for CVE-2026-26322

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-26322

登录查看更多情报信息。

Same Patch Batch · openclaw · 2026-02-19 · 22 CVEs total

CVE-2026-263167.5 HIGHOpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust
CVE-2026-263197.5 HIGHOpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Re
CVE-2026-254747.5 HIGHOpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`
CVE-2026-263217.5 HIGHOpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
CVE-2026-263247.5 HIGHOpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reach
CVE-2026-263257.2 HIGHOpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
CVE-2026-263177.1 HIGHOpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation e
CVE-2026-269726.7 MEDIUMOpenClaw has a Path Traversal in Browser Download Functionality
CVE-2026-263286.5 MEDIUMOpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
CVE-2026-270095.8 MEDIUMOpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inl
CVE-2026-26327OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
CVE-2026-26326OpenClaw skills.status could leak secrets to operator.read clients
CVE-2026-26329OpenClaw has a path traversal in browser upload allows local file read
CVE-2026-26323OpenClaw has a command injection in maintainer clawtributors updater
CVE-2026-27001OpenClaw: Unsanitized CWD path injection into LLM prompts
CVE-2026-27002OpenClaw: Docker container escape via unvalidated bind mount config injection
CVE-2026-27003OpenClaw: Telegram bot token exposure via logs
CVE-2026-27004OpenClaw session tool visibility hardening and Telegram webhook secret fallback
CVE-2026-27007OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container rec
CVE-2026-27008OpenClaw hardened the skill download target directory validation

Showing top 20 of 22 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: openclaw
Same vendor: openclaw
Same weakness: CWE-918

V. Comments for CVE-2026-26322

No comments yet

Leave a comment