CVE-2026-32037

MEDIUM WAF: Medium

CVSS 6.0 Published: 2026-03-19

CWE-918

OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.

WAF Coverage Analysis

Server-Side Request Forgery (SSRF) Medium WAF Coverage

OWASP: A10:2021 SSRF

934xxx - Node.js / Generic Injection

References

github.com
github.com
github.com
www.vulncheck.com

Back to CVE Database