CVE-2026-34504
HIGH WAF: Medium
CVSS 8.3
Published: 2026-03-31
CWE-918
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.3.28 |
References
- github.com (Patch)
- github.com (Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)