GHSA-8MVX-P2R9-R375
Vulnerability from github – Published: 2026-03-03 21:19 – Updated: 2026-03-19 18:35Summary
openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (HTTP_PROXY/HTTPS_PROXY/ALL_PROXY, including lowercase variants).
In affected builds, strict URL checks (for example web_fetch and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable version range:
<= 2026.3.1 - Latest published npm version at triage time (2026-03-02):
2026.3.1 - Patched versions:
>= 2026.3.2(released)
Technical Details
The SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.
When env proxy settings were present, strict web-tool flows could use EnvHttpProxyAgent instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.
The fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.
Impact
In deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.
Mitigations
Before upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling web_fetch / web_search where untrusted URL input is possible.
Fix Commit(s)
345abf0b2e0f43b0f229e96f252ebf56f1e5549e
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22181"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:19:47Z",
"nvd_published_at": "2026-03-18T02:16:22Z",
"severity": "MODERATE"
},
"details": "### Summary\n`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).\n\nIn affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable version range: `\u003c= 2026.3.1`\n- Latest published npm version at triage time (2026-03-02): `2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)\n\n### Technical Details\nThe SSRF guard performed hostname resolution and policy checks, then selected a request dispatcher.\n\nWhen env proxy settings were present, strict web-tool flows could use `EnvHttpProxyAgent` instead of the DNS-pinned dispatcher. This created a destination-binding gap between check-time resolution and connect-time routing.\n\nThe fix keeps DNS pinning on strict/untrusted web-tool URL paths and limits env-proxy bypass behavior to trusted/operator-controlled endpoints via an explicit dangerous opt-in.\n\n### Impact\nIn deployments with env proxy variables configured, attacker-influenced URLs from web tools could be routed through proxy behavior instead of strict pinned-destination routing, which could allow access to internal/private targets reachable from that proxy environment.\n\n### Mitigations\nBefore upgrading, operators can reduce exposure by clearing proxy env vars for OpenClaw runtime processes or disabling `web_fetch` / `web_search` where untrusted URL input is possible.\n\n### Fix Commit(s)\n- `345abf0b2e0f43b0f229e96f252ebf56f1e5549e`",
"id": "GHSA-8mvx-p2r9-r375",
"modified": "2026-03-19T18:35:37Z",
"published": "2026-03-03T21:19:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22181"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s web tools strict URL guard could lose DNS pinning when env proxy is configured"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.