CVE-2026-35673
SSRF Policy Bypass in OpenClaw via Debug and Export Routes
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35673 is a Server-Side Request Forgery (SSRF) policy bypass vulnerability found in OpenClaw versions before 2026.4.29. It affects the browser debug and export routes, allowing attackers who have access to these routes to reuse already-open blocked tabs. This reuse enables them to bypass private-network SSRF protections and access or inspect content that should be protected and inaccessible.
The root cause of this vulnerability is incorrect authorization (CWE-863), which means the system does not properly verify whether the user is allowed to perform certain actions, leading to unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow attackers with limited access to bypass SSRF protections designed to prevent unauthorized access to private network resources. By exploiting this flaw, attackers could gain unauthorized access to sensitive or protected content that should remain inaccessible, potentially leading to information disclosure or further exploitation within the private network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SSRF policy bypass in OpenClaw versions before 2026.4.29 via browser debug and export routes that reuse already-open blocked tabs.
Detection would require monitoring access to these specific browser debug and export routes to identify unauthorized reuse of blocked tabs.
Since the vulnerability is related to incorrect authorization on these routes, commands or tools that inspect HTTP requests to these endpoints and analyze for suspicious reuse of blocked tabs could help detect exploitation attempts.
However, no specific detection commands or scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.29 or later, where this SSRF policy bypass vulnerability has been fixed.
Until the upgrade can be applied, restrict access to the browser debug and export routes to trusted users only, as attackers require access to these routes to exploit the vulnerability.
Additionally, review and tighten authorization controls on these routes to prevent unauthorized reuse of blocked tabs.