CVE-2026-28476

HIGH8.3EPSS 0.07%

OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication

發布日:2026/2/18修改日:2026/5/5

描述

## Summary The optional Tlon (Urbit) extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery (SSRF) in affected deployments. ## Impact This only affects deployments that have installed and configured the Tlon (Urbit) extension, and where an attacker can influence the configured Urbit URL. Under those conditions, the gateway could be induced to make HTTP requests to attacker-chosen hosts (including internal addresses). Deployments that do not use the Tlon extension, or where untrusted users cannot change the Urbit URL, are not impacted. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.13` ## Fixed Versions - `2026.2.14` (planned next release) ## Fix Commit(s) - `bfa7d21e997baa8e3437657d59b1e296815cc1b1` ## Details Urbit authentication now validates and normalizes the base URL and uses an SSRF guard that blocks private/internal hosts by default (opt-in: `channels.tlon.allowPrivateNetwork`). ## Release Process Note This advisory is pre-populated with the planned patched version (`2026.2.14`). After `[email protected]` is published to npm, publish this advisory without further edits. Thanks @p80n-sec for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
osvCVSS 3.1HIGH8.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

參考連結(6)