top of page
perceptive_background_267k.jpg

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access …

Published:

20 april 2026 om 22:00:00

Alert date:

21 april 2026 om 07:08:02

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

OpenClaw versions before 2026.3.31 contain a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality. The vulnerability exists in the marketplace.ts module which fails to properly validate redirect destinations during archive downloads. This allows remote attackers to redirect requests to arbitrary internal or external servers, potentially accessing sensitive internal resources. The vulnerability enables attackers to exploit unvalidated redirects to perform unauthorized server-side requests.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41297
https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52
https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page