CVE-2026-27488
HIGHOpenClaw < 2026.2.19 - Server-Side Request Forgery via Cron Webhook Delivery
Title source: llmDescription
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp
Patch x_refsource_misc
https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655
Release Notes x_refsource_misc
https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
Scores
CVSS v3
7.3
EPSS
0.0033
EPSS Percentile
24.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
npm/openclaw
0 - 2026.2.19npm
openclaw/openclaw
< 2026.2.17
Published
Feb 21, 2026
Tracked Since
Feb 21, 2026