CVE-2026-41302 MEDIUM

CVE-2026-41302: OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download

Vendor Openclaw
Product OpenClaw
Weakness CWE-918 · SSRF
Published April 20, 2026
Last update April 21, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated

Related vulnerabilities

04Related CVE