CVE-2026-27488
HIGH WAF: Medium
CVSS 7.3
Published: 2026-02-21
CWE-918
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.2.17 |
References
- github.com (Patch)
- github.com (Release Notes)
- github.com (Vendor Advisory)