GHSA-j4c5-89f5-f3pm: OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks

April 25, 2026

Browser profile creation normalized cdpUrl values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows.

Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low.

References

github.com/advisories/GHSA-j4c5-89f5-f3pm
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1fd049e3074cac72f6734a7fe88468c84f5f8bd7
github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf
github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm

Code Behaviors & Features

Detect and mitigate GHSA-j4c5-89f5-f3pm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →