GHSA-w8g9-x8gx-crmm: OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable

April 9, 2026

Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable.

Strict browser SSRF checks could miss Playwright request-time navigation to private targets.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

References

github.com/advisories/GHSA-w8g9-x8gx-crmm
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm

Code Behaviors & Features

Detect and mitigate GHSA-w8g9-x8gx-crmm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →