CVE-2026-8305

OpenClaw · OpenClaw

A vulnerability in OpenClaw allows unauthenticated attackers to bypass authentication mechanisms and potentially trigger Server-Side Request Forgery (SSRF).

Executive summary

An authentication bypass vulnerability in OpenClaw versions 2026.1.0 through 2026.1.7 permits unauthorized access, posing a severe risk to system security.

Vulnerability

The flaw is categorized as improper authentication, which can be leveraged by unauthenticated remote attackers to bypass security controls.

Business impact

Successful exploitation allows unauthorized access to the application, which may lead to data exfiltration or internal network compromise. The CVSS score of 7.3 reflects the significant danger posed by the lack of authentication requirements for remote attackers.

Remediation

Immediate Action: Update OpenClaw to version 2026.2.12 or higher immediately to resolve the authentication vulnerability.

Proactive Monitoring: Monitor for unusual outbound requests from the application server, which may indicate exploitation of associated SSRF conditions.

Compensating Controls: Deploy WAF rules to filter suspicious, unauthenticated requests targeting the authentication endpoints of the OpenClaw service.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate patching is required for all instances of OpenClaw within the identified version range. Administrators should upgrade to version 2026.2.12 to ensure the vulnerability is fully remediated.