GHSA-9Q7V-8MR7-G23P: Server-Side Request Forgery (SSRF) in OpenClaw AI Assistant

OpenClaw is a personal AI assistant project that integrates with local and remote machine learning models. A core component of this architecture involves retrieving model metadata and downloading third-party extensions. The application performs these outbound network requests on behalf of the user.

A Server-Side Request Forgery (SSRF) vulnerability, classified as CWE-918, exists in the network request implementation of OpenClaw versions prior to v2026.3.31. The flaw resides in two primary components: the Ollama extension and the Marketplace plugin downloader. Both components accept user-controlled uniform resource identifiers and initiate backend HTTP connections without adequate input sanitization or destination verification.

This vulnerability permits an attacker to coerce the OpenClaw backend server into issuing HTTP requests to arbitrary targets. By manipulating the requested destination, an attacker can target internal systems that are otherwise shielded by firewalls or network address translation. The primary consequence is unauthorized access to sensitive internal application programming interfaces and cloud metadata endpoints.

The root cause of this SSRF vulnerability is the unconstrained use of the native JavaScript fetch() API for outbound network communication. In the Ollama extension, the application requires a baseUrl configuration to interface with a target model server. During API routes such as /api/tags, /api/show, and /api/pull, the backend directly concatenates the user-supplied baseUrl with the specific endpoint path.

The application fails to implement hostname validation or URL parsing constraints prior to executing the fetch() call. The absence of a dedicated egress filter means the server implicitly trusts the provided destination. Consequently, an attacker can supply a baseUrl pointing to internal IPv4 addresses, loopback interfaces, or local hostnames.

The Marketplace functionality introduces a secondary SSRF vector via the downloadUrlToTempFile function. This function is designed to retrieve compressed plugin archives (.tgz) from remote repositories. Similar to the Ollama vector, the function passes the attacker-controlled URL directly to the fetch() API. The server executes the request and processes the response, creating an avenue for internal network enumeration based on request timing and error state responses.

The original implementation of the network request logic relied on direct invocations of the fetch() API. The backend application lacked a centralized mechanism to inspect outbound destinations, allowing user input to directly control the network request target.

Commit 8deb9522f3d2680820588b190adb4a2a52f3670b resolves this flaw by introducing a comprehensive fetchWithSsrFGuard wrapper located in openclaw/plugin-sdk/ssrf-runtime. This architectural shift centralizes egress filtering. For the Ollama extension specifically, the patch introduces buildOllamaBaseUrlSsrFPolicy to enforce strict hostname pinning.

export function buildOllamaBaseUrlSsrFPolicy(baseUrl: string): SsrFPolicy | undefined {
  const parsed = new URL(baseUrl.trim());
  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return undefined;
  return {
    allowedHostnames: [parsed.hostname],
    hostnameAllowlist: [parsed.hostname],
  };
}

The updated architecture mandates an auditContext for every guarded fetch invocation. This ensures that all outbound requests are categorized and logged, facilitating security monitoring. Furthermore, the patch implements a finally block to explicitly release response bodies, neutralizing resource exhaustion attacks that rely on stalled network connections.

Exploiting the Ollama configuration vector requires the ability to modify the baseUrl parameter. An attacker with access to the configuration interface can alter this value to target internal endpoints. For example, modifying the baseUrl to http://169.254.169.254/latest/meta-data/iam/security-credentials/ causes the OpenClaw server to query the AWS Instance Metadata Service during subsequent model discovery operations.

The Marketplace vector is exploitable by supplying a malicious plugin URL. An attacker can construct a payload pointing to an internal database service, such as http://internal-db-service:5432/. While the database will not return a valid .tgz archive, the application's response timing and connection error behavior provide an oracle for internal port scanning and service fingerprinting.

The following Nuclei template demonstrates the detection methodology by injecting an out-of-band testing URL into the configuration endpoint to confirm the server processes external outbound requests.

id: openclaw-ssrf-ollama
info:
  name: OpenClaw Ollama Discovery SSRF
  severity: high
  description: Detects SSRF via unvalidated Ollama baseUrl configuration.
http:
  - method: POST
    path: "/api/ollama/configure"
    body: '{"baseUrl": "http://{{interactsh-url}}"}'
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

The primary impact of this SSRF vulnerability is the circumvention of network perimeters. Attackers leverage the OpenClaw backend server as a proxy to reach internal hosts and services that are otherwise inaccessible from the public internet. This access facilitates internal network reconnaissance and service enumeration.

In cloud environments, the impact escalates significantly. The ability to query the Instance Metadata Service (IMDS) at 169.254.169.254 allows attackers to extract temporary Identity and Access Management (IAM) credentials. Compromise of these credentials typically leads to horizontal escalation across the wider cloud deployment.

Data exfiltration is also a primary concern. The marketplace plugin downloader processes responses from the attacker-defined URLs. If an attacker directs the application to an internal endpoint containing sensitive configuration data or unprotected application interfaces, the application may inadvertently return this data in error messages or application logs.

System administrators must prioritize upgrading OpenClaw to version v2026.3.31 or later. This release incorporates the fetchWithSsrFGuard logic and explicitly mitigates both the Ollama extension and Marketplace SSRF vectors.

Network-level controls provide a secondary layer of defense. Deploy OpenClaw instances within isolated virtual private clouds (VPCs) or demilitarized zones (DMZs). Implement strict egress filtering via firewalls or security groups to deny outbound traffic to RFC1918 internal IP ranges and the local loopback address (127.0.0.0/8).

For cloud deployments, mitigate metadata service abuse by enforcing IMDSv2. Requiring session tokens for metadata queries prevents simple HTTP GET request exploitation inherent in standard SSRF vulnerabilities. Additionally, monitor application and network logs for anomalous outbound connections, particularly those terminating at internal infrastructure or unexpected cloud endpoints.