Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-34504EXPLOITEDPATCHED

openclaw · openclaw

OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider

Description

OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.

Affected Products

Vendor	Product	Versions
openclaw	openclaw	0

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3(third-party-advisory)
https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928(patch)
https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider(third-party-advisory)

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-34504 | OpenClaw up to 2026.3.27 server-side request forgery (GHSA-qxgf-hmcj-3xw3)

→ No new info (linked only)

CVSS 3.15.3 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch availablenull

CWECWE-918

PublishedMar 31, 2026

Last enriched6h agov2

Tags

multiple vulnerabilitiesarbitrary code executionprivilege escalationdenial of service

Trending Score59

Source articles1

Independent1

Info Completeness10/14

Missing: epss, kev, exploit, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-33580EXP

OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication

NONECVE-2026-33579EXP

OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval

NONECVE-2026-32917EXP

OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP

NONECVE-2026-34509EXP

OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

NONECVE-2026-32916EXP

OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: severity, activelyExploited, patchAvailable

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Patch Available

Mar 31, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, marked as actively exploited, and noted no exploit available.

severityactivelyExploitedpatchAvailable

via VulDB

v18h ago

Initial creation