CVE-2026-32019

Description

### Summary `isPrivateIpv4()` in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so `web_fetch` could allow targets that should be blocked by SSRF policy. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published affected version: `2026.2.21-2` (published 2026-02-21) - Structured vulnerable range: `<= 2026.2.21-2` - Planned patched version (pre-set): `>= 2026.2.22` ### Impact Low severity. Exploitation requires network reachability to the relevant special-use ranges and a request path that reaches `web_fetch` URL fetching. ### Technical Details Affected releases used narrow IPv4 private-range checks that omitted multiple RFC special-use/non-global ranges. This allowed requests such as `http://198.18.0.1/...` through SSRF validation in affected releases. Follow-up hardening consolidates local-host/tailnet range checks so gateway/browser/tailnet paths share one canonical IP classification flow. ### Fix Commit(s) - `71bd15bb4294d3d1b54386064d69cd0f5f731bd8` - `44dfbd23df453e51b71ef79a148c28c53e89168c` - `333fbb86347998526dd514290adfd5f727caa6d9` - `f14ebd743cfc73f667fae80af70043d0ab1f88bd` OpenClaw thanks @princeeismond-dot for reporting.

How to fix CVE-2026-32019

To remediate CVE-2026-32019, upgrade the affected package to a fixed version below.

—upgrade to 2026.2.22 or later

Is CVE-2026-32019 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2026.2.22

CVSS scores

osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N