GHSA-g86v-f9qv-rh6m: OpenClaw SSRF guard misses four IPv6 special-use ranges
lowvulnerability
security
Source: GitHub Advisory DatabaseMarch 31, 2026
Summary
OpenClaw had a vulnerability in its SSRF guard (a security check that blocks requests to internal network addresses), which incorrectly classified certain IPv6 special-use ranges (reserved address groups in the newer internet protocol) as public. This allowed attackers to potentially access internal or non-routable addresses that should have been blocked.
Solution / Mitigation
Update OpenClaw to version 2026.3.28 or later. The fix was implemented in commit d61f8e5672 with the change "Net: block missing IPv6 special-use ranges."
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
openclaw@<= 2026.3.24 (fixed: 2026.3.28)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-g86v-f9qv-rh6m
First tracked: March 31, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%