top of page
perceptive_background_267k.jpg

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access …

Published:

20 april 2026 om 22:00:00

Alert date:

21 april 2026 om 17:05:49

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

OpenClaw versions before 2026.3.31 contain a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality. The vulnerability exists in the marketplace.ts module which fails to properly validate redirect destinations during archive downloads. Remote attackers can exploit this flaw to access internal resources by manipulating redirects to point to arbitrary internal or external servers. This could potentially allow unauthorized access to internal network resources and sensitive data.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41297
https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52
https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page