Vulnerability Description
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed during normal profile status operations.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.4.20 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/1fd049e3074cac72f6734a7fe88468c84f5fPatch
- https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c0Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pmThird Party Advisory
- https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-brThird Party AdvisoryPatch
FAQ
What is CVE-2026-45000?
CVE-2026-45000 is a vulnerability with a CVSS score of 5.0 (MEDIUM). OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing ...
How severe is CVE-2026-45000?
CVE-2026-45000 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45000?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.