GHSA-qxgf-hmcj-3xw3: OpenClaw affected by SSRF via unguarded image download in fal provider

April 1, 2026 (updated April 6, 2026)

The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.

References

github.com/advisories/GHSA-qxgf-hmcj-3xw3
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928
github.com/openclaw/openclaw/releases/tag/v2026.3.28
github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3

Code Behaviors & Features

Detect and mitigate GHSA-qxgf-hmcj-3xw3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →