ASR AI Security Radar
Methodology Recent Incidents Get Notified

Back to incidents

AI security incident: OpenClaw affected by SSRF via attachment/media URL hydration (GHSA-wfp2-v9c7-fh79)

Incident date: February 17, 2026 | Published: February 25, 2026 | Source: GitHub Security Advisory | Classification confidence: 50%

This incident is part of the public archive. AI-specific signals are limited in the current source material, so source citations should be reviewed closely during triage. Review methodology.

Summary Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration. An attacker who can influence the media URL (for example via model-controlled sendAttachment or auto-reply media URLs) could trigger SSRF to internal resources and exfiltrate the fetched bytes as an outbound attachment. ### Plain-English Explanation OpenClaw can send files by downloading them first. On vulnerable versions ( = 2026.2.2 Release timeline (npm): - 2026.2.1 published 2026-02-02T11:45:27Z - 2026.2.2 published 2026-02-04T00:56:41Z - This advisory was created 2026-02-05T10:42:26Z ### Details In affected versions, remote media fetching performed a raw fetch(url) without SSRF protections.

Why This Is AI-Related

This advisory is part of the public incident archive, but the current source material uses limited explicit AI terminology, so the cited sources should be reviewed carefully when judging AI relevance and exposure.

  • Explicit AI-specific signals are limited in the current source material, so use the cited advisory to validate scope during triage.

Affected Workflow

Review connectors, retrieval plugins, webhook targets, file access paths, and outbound network policies around AI services.

Likely Attack Path

The flaw creates an unauthorized path to fetch, read, or exfiltrate sensitive data from connected systems or local files.

Impact

The flaw can expose internal data, local files, or connected systems through AI workflow connectors and supporting services. Severity HIGH. Classification confidence 50%. Source channel GHSA.

Detection And Triage Signals

  • Unexpected outbound requests from AI application components
  • Access to internal metadata endpoints, local files, or restricted datasets
  • Downloads or responses that contain internal documents, secrets, or embeddings

Recommended Response

  • Confirm whether the affected component can reach internal metadata, local files, or connected data stores.
  • Restrict outbound requests and sensitive data access paths until a patch or mitigation is in place.
  • Inspect logs for unusual downloads, webhook calls, retrieval requests, or responses containing internal content.

Compliance And Business Impact

Data exposure creates direct confidentiality risk and can trigger incident notification, contractual, and regulatory obligations.

Sources

Want alerts like this in real time?

Get notified with incident context, likely impact, and response guidance.

Get Notified

More incidents