OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypas…

OpenClaw versions before 2026.4.10 contain a server-side request forgery (SSRF) policy bypass vulnerability in existing-session browser interaction routes. The vulnerability allows attackers to bypass SSRF navigation guards and interact with or navigate to unauthorized targets without proper policy enforcement. This security flaw affects the application's ability to prevent malicious server-side requests, potentially enabling unauthorized access to internal resources or external systems. The vulnerability has been addressed in version 2026.4.10 and later releases.