Home / Vulnerability Intelligence / CVE-2026-28476

CVE-2026-28476 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: March 6, 2026

OpenClaw - Server-Side Request Forgery

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.14 contains a server-side request forgery caused by improper validation of user-provided base URLs in the Tlon Urbit extension, letting attackers induce HTTP requests to arbitrary hosts, exploit requires attacker to influence the configured Urbit URL.

Severity & Score

Severity: High

CVSS Score: 8.3

EPSS Score: 6.1%(Probability of exploitation in next 30 days)

Impact

Attackers can make the server send HTTP requests to arbitrary or internal hosts, potentially accessing internal resources or services.

Mitigation

Update to version 2026.2.14 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-28476 - High (8.3) OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the config... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28476/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28476
Severity: High
CVSS Score: 8.3
Type: server_side_request_forgery
Status: new
EPSS: 6.1%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

EPSS Score

6.1%Probability of exploitation in the next 30 days