CVE-2026-41297 MEDIUM

CVE-2026-41297: OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect

Vendor Openclaw
Product OpenClaw
Weakness CWE-918 · SSRF
Published April 20, 2026
Last update April 21, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-10690 wonderwhy-er DesktopCommanderMCP read_file filesystem.ts readFileFromUrl server-side request forgery CVE-2026-45400 Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url` CVE-2022-0939 Server-Side Request Forgery (SSRF) in janeczku/calibre-web CVE-2026-40100 FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default CVE-2025-55150 Stirling-PDF SSRF vulnerability on /api/v1/convert/html/pdf