Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-26322

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-19 Feb, 2026 | 22:33
Updated At-19 Feb, 2026 | 22:33
Rejected At-
Credits

OpenClaw Gateway tool allowed unrestricted gatewayUrl override

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:19 Feb, 2026 | 22:33
Updated At:19 Feb, 2026 | 22:33
Rejected At:
â–¼CVE Numbering Authority (CNA)
OpenClaw Gateway tool allowed unrestricted gatewayUrl override

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.

Affected Products
Vendor
openclaw
Product
openclaw
Versions
Affected
  • < 2026.2.14
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf
x_refsource_CONFIRM
https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4
x_refsource_MISC
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
x_refsource_MISC
Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4
Resource:
x_refsource_MISC
Hyperlink: https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Resource:
x_refsource_MISC
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:19 Feb, 2026 | 23:16
Updated At:19 Feb, 2026 | 23:16

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.6HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-918Primarysecurity-advisories@github.com
CWE ID: CWE-918
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4security-advisories@github.com
N/A
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14security-advisories@github.com
N/A
https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rfsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12Records found
CVE-2026-26324
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-Not Assigned
Published-19 Feb, 2026 | 22:49
Updated-19 Feb, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.

Action-Not Available
Vendor-openclaw
Product-openclaw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-68662
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.04% / 13.43%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 19:12
Updated-30 Jan, 2026 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FinalDestination hostname matching allows SSRF protection bypass

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-61784
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.06% / 17.47%
||
7 Day CHG~0.00%
Published-Not Available
Updated-22 Oct, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem. The vulnerability exists in the `_process_request` function within `src/llamafactory/api/chat.py.` This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs. The function checks if the provided URL is a base64 data URI or a local file path (`os.path.isfile`). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using `requests.get(url, stream=True).raw` without any validation or sanitization of the URL. Version 0.9.4 fixes the underlying issue.

Action-Not Available
Vendor-hiyouga
Product-llama-factory
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-33203
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-7.6||HIGH
EPSS-0.05% / 15.62%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 18:10
Updated-26 Nov, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service.

Action-Not Available
Vendor-NVIDIA Corporation
Product-NeMo Agent ToolKit
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29457
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.70% / 71.53%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-24 Apr, 2025 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

Action-Not Available
Vendor-n/aMyBB
Product-mybbn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29459
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.69% / 71.40%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-27 Jun, 2025 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

Action-Not Available
Vendor-n/aMyBB
Product-mybbn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29461
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.69% / 71.40%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-21 Aug, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in a-blogcms 3.1.15 allows a remote attacker to obtain sensitive information via the /bid/1/admin/entry-edit/ path.

Action-Not Available
Vendor-appleplen/a
Product-a-blogcmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29460
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.55% / 67.55%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-25 Apr, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

Action-Not Available
Vendor-n/aMyBB
Product-mybbn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29451
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.69% / 71.40%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-21 Apr, 2025 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Mail Setting component.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.70% / 71.53%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-24 Apr, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

Action-Not Available
Vendor-n/aMyBB
Product-mybbn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-24898
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.22% / 44.17%
||
7 Day CHG~0.00%
Published-29 Aug, 2020 | 19:57
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the "Table from CSV" macro (URL parameter).

Action-Not Available
Vendor-stiltsoftn/a
Product-table_filter_and_charts_for_confluence_servern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29452
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.69% / 71.40%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 00:00
Updated-21 Apr, 2025 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Proxy Manager component.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
Details not found