SSRF via unrestricted gatewayUrl override in OpenClaw Gateway tool
In OpenClaw prior to version 2026.2.14, the Gateway tool accepted a tool-supplied gatewayUrl and allowed some tool call paths to pass that value into the Gateway WebSocket client without sufficient validation or allowlisting. As a result, an authorized or otherwise capable tool caller could cause the OpenClaw host to initiate outbound WebSocket connections to attacker-specified endpoints instead of only approved gateway destinations. Reachable targets could include localhost services, private network addresses, and cloud metadata IPs. The issue is effectively a server-side request forgery condition in the WebSocket client path. The vendor states that version 2026.2.14 restricts tool-supplied gatewayUrl overrides to loopback on the configured gateway port or the configured gateway.remote.url, and rejects disallowed protocols, embedded credentials, query or hash components, and non-root paths.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
gatewayUrl overrides, directly or indirectly. Ensure these tool paths are available only to authenticated and trusted operators or trusted automation. If such tool calls are exposed to non-operators, disable the override capability or enforce a strict allowlist of permitted gateway endpoints. At the network layer, block or tightly control egress from the OpenClaw host to sensitive internal destinations, including localhost, RFC1918 ranges, link-local addresses, and cloud metadata IPs.Remediation
Patch, then assume compromise.
gatewayUrl overrides to loopback on the configured gateway port or the configured gateway.remote.url, and rejects unsupported protocols, credentials, query/hash components, and non-root paths. The referenced fix commit is c5406e1d2434be2ef6eb4d26d8f1798d718713f4.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
One of several additional OpenClaw vulnerabilities mentioned as part of a broader stack of moderate- to high-severity flaws affecting the platform.
One of several recently disclosed OpenClaw vulnerabilities, ranging from moderate to high severity, that could lead to serious impacts such as remote code execution, command injection, SSRF, authentication bypass, or path traversal.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.