CVE-2026-26322
Outbound WebSocket Connection Vulnerability in OpenClaw Gateway
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw, a personal AI assistant, prior to version 2026.2.14. The issue arises because the Gateway tool accepted a user-supplied `gatewayUrl` without sufficient restrictions. This allowed the OpenClaw host to attempt outbound WebSocket connections to targets specified by the user.
To exploit this, an attacker needs the ability to invoke tools that accept `gatewayUrl` overrides, which is typically limited to authenticated operators or trusted automation. In environments where untrusted users can trigger these tool calls, the host could be instructed to connect to non-gateway endpoints such as localhost services, private network addresses, or cloud metadata IPs.
This could result in outbound connection attempts from the OpenClaw host, potentially allowing limited network reachability probing or further interaction if the target supports WebSocket and is reachable.
Starting with version 2026.2.14, OpenClaw restricts tool-supplied `gatewayUrl` overrides to only loopback addresses on the configured gateway port or the configured `gateway.remote.url`, rejecting disallowed protocols, credentials, query/hash, and non-root paths.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause the OpenClaw host to make outbound WebSocket connection attempts to arbitrary targets specified by the attacker.
This can lead to limited network reachability probing, allowing an attacker to discover services running on localhost, private networks, or cloud metadata IPs that are normally inaccessible.
In some cases, if the target supports WebSocket and is reachable, further interaction beyond simple probing may be possible, potentially exposing sensitive internal services.
However, exploitation requires the ability to invoke tools that accept `gatewayUrl` overrides, which is generally limited to authenticated or trusted users, so it is not a drive-by vulnerability for arbitrary internet users unless the deployment explicitly allows untrusted users to trigger these tool calls.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenClaw to version 2026.2.14 or later. This version restricts tool-supplied gatewayUrl overrides to loopback on the configured gateway port or the configured gateway.remote.url, and rejects disallowed protocols, credentials, query/hash, and non-root paths.
Additionally, ensure that only authenticated operators or trusted automation can invoke tools that accept gatewayUrl overrides, and avoid exposing these tool calls to untrusted users.