CVE-2026-6011
Server-Side Request Forgery in OpenClaw Web-Fetch Component
Publication date: 2026-04-10
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.1.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6011 is a Server-Side Request Forgery (SSRF) vulnerability in the Openclaw project, specifically in the web_fetch tool used by AI agents to fetch URL content.
The vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) race condition caused by DNS rebinding. The security check verifies the hostname and IP address before the HTTP request, but the actual HTTP request performs a separate DNS resolution. This gap allows an attacker controlling the DNS server to change the DNS response between the check and the request, bypassing protections.
An attacker can manipulate the DNS responses so that the initial check passes with a public IP, but the subsequent request resolves to an internal or private IP address, potentially accessing sensitive internal services like cloud metadata endpoints.
Exploitation requires medium to high difficulty conditions, including control over the DNS server, precise timing to switch DNS records, and the ability to send messages to the bot.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to bypass SSRF protections and send requests to internal or sensitive services that are normally inaccessible from outside the network.
This can lead to unauthorized access to sensitive internal resources such as cloud metadata services, which may expose credentials or other confidential information.
Due to the complexity and difficulty of exploitation, the risk is moderate, but successful exploitation could result in serious information disclosure and potential compromise of internal systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-6011 involves identifying attempts to exploit a Server-Side Request Forgery (SSRF) vulnerability caused by a DNS rebinding TOCTOU race condition in Openclaw's web-fetch tool.
Since the vulnerability exploits a timing window between DNS resolution checks and actual HTTP requests, monitoring for unusual DNS queries that rapidly change IP addresses for the same hostname could indicate an attack.
You can detect suspicious activity by:
- Monitoring DNS logs for rapid changes in DNS responses for the same domain.
- Checking HTTP request logs for requests to internal IP addresses (e.g., 169.254.169.254) that should not be accessible externally.
- Using network monitoring tools to detect unexpected outbound requests to private or internal IP ranges.
Suggested commands for detection might include:
- Using tcpdump or Wireshark to capture DNS and HTTP traffic: `tcpdump -i any port 53 or port 80`
- Query DNS records repeatedly to check for DNS rebinding behavior: `dig @your-dns-server attacker-controlled-domain.com` multiple times to see if IP changes.
- Searching logs for requests to sensitive internal IPs: `grep -E '169\.254\.169\.254|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.' /var/log/httpd/access.log`
Because exploitation requires precise timing and DNS control, detection may require correlating DNS query patterns with HTTP requests to internal IPs.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation for CVE-2026-6011 is to upgrade Openclaw to version 2026.1.29 or later, which includes a patch that addresses the vulnerability.
The patch implements DNS pinning to prevent DNS rebinding attacks by resolving hostnames to fixed IP addresses before making HTTP requests and using a pinned dispatcher to ensure consistent IP usage throughout the fetch and redirect process.
Additional immediate steps include:
- Restricting network access to internal services such as cloud metadata endpoints (e.g., AWS 169.254.169.254) from the Openclaw environment.
- Implementing strict input validation and limiting the URLs that the AI model or users can provide to the web-fetch tool.
- Monitoring and logging DNS queries and HTTP requests to detect suspicious activity.
In summary, upgrading to the fixed version is the most effective mitigation, as it closes the TOCTOU window by pinning DNS resolutions and improving resource cleanup and error handling.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-6011 is a Server-Side Request Forgery (SSRF) vulnerability that can allow attackers to bypass protections and access sensitive internal services, such as cloud metadata endpoints, potentially leading to information disclosure.
Such unauthorized access and potential data leakage could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information from unauthorized access and disclosure.
However, the vulnerability is characterized by high exploitation complexity and requires attacker control over DNS and precise timing, making exploitation difficult.
Organizations using affected versions of OpenClaw should upgrade to the patched version to mitigate risks and maintain compliance with data protection regulations.