CVE-2026-27488

Published February 21st, 2026

View on NVD ↗

CVSS v3

7.3

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.

openclaw/openclaw

Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞

GitHub

380K