GHSA-2858-xg23-26fp
MEDIUMOpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
OpenClaw accepted camera.snap / camera.clip node payload url fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host.
In OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.13 <= 2026.3.1 - Latest vulnerable published version at time of update:
2026.3.1 - Patched versions:
>= 2026.3.2(released)
Technical Details
Vulnerable flows accepted URL payloads and downloaded directly from the provided URL:
src/cli/nodes-camera.ts(writeUrlToFile) fetched URL payloads without node-host binding.src/cli/nodes-cli/register.camera.tspassedcamera.snap/camera.clippayload URLs into that downloader.src/agents/tools/nodes-tool.tsdid the same forcamera_snap/camera_cliptool actions.
Impact
A malicious/compromised paired node could cause gateway-host URL fetches to off-node destinations reachable from the host network. This could be used for internal network probing/fetch pivots in deployments where paired nodes are not fully trusted.
Remediation
The fix introduces fail-closed node-host binding and guarded fetch for camera URL payload downloads:
- Require resolved node host metadata for URL payload downloads.
- Enforce hostname match between payload URL and resolved node host.
- Use SSRF-guarded fetch with redirect host/protocol checks.
- Apply the same enforcement across CLI and agent tool camera paths.
Fix Commit(s)
3bf19d6f40a0aaa55818b96eede3d05130c02533
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | ≥ 2026.2.13&&< 2026.3.2 | 2026.3.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.3.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2858-xg23-26fp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-2858-xg23-26fp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-2858-xg23-26fp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-2858-xg23-26fp in your dependencies?
O3 detects GHSA-2858-xg23-26fp across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.