@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +16 more potentially affected by CVE-2026-43527 via openclaw (>=2026.3.22 <=2026.4.12)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.0.11 and more Source cves: CVE-2026-43527 Source advisory: SNYK:JS-OPENCLAW-16420277...

CVE-2026-43527

creationtimestamp| type| source ---|---|--- 2026-05-05 13:22:50+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3ml4bstirqs2k 2026-05-05 19:00:26+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3ml4uohio2h2s...

CVE-2026-43527 OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation

OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +17 more potentially affected by CVE-2026-43527 via openclaw (>=0.0.1 <=2026.4.12)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.0.11 and more Source cves: CVE-2026-43527 Source advisory: OSV:GHSA-53VX-PMQW-863C...