CVE-2026-32019: OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
(updated )
isPrivateIpv4() in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so web_fetch could allow targets that should be blocked by SSRF policy.
References
- github.com/advisories/GHSA-4rqq-w8v4-7p47
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/333fbb86347998526dd514290adfd5f727caa6d9
- github.com/openclaw/openclaw/commit/44dfbd23df453e51b71ef79a148c28c53e89168c
- github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8
- github.com/openclaw/openclaw/commit/f14ebd743cfc73f667fae80af70043d0ab1f88bd
- github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47
- nvd.nist.gov/vuln/detail/CVE-2026-32019
Code Behaviors & Features
Detect and mitigate CVE-2026-32019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →