Bug type
Regression (worked before, now fails)
Beta release blocker
No
Summary
After upgrading to 2026.4.10, the browser tool rejects all hostname-based navigation with a strict SSRF policy error, and the behavior persists through 2026.4.11 and 2026.4.12.
Steps to reproduce
- Run OpenClaw 2026.4.12 with
browser.defaultProfile set to openclaw and no browser.ssrfPolicy configured.
- Invoke the browser tool to navigate to a public https URL (e.g. a skool.com page).
- Observe the navigation is blocked before the page loads.
Expected behavior
The browser tool navigates to the requested public hostname. Prior to 2026.4.10, browser tool navigation to public hostnames worked under the same config.
Actual behavior
The browser tool returns the following error and does not navigate:
Navigation blocked: strict browser SSRF policy requires an IP-literal URL because browser DNS rebinding protections are unavailable for hostname-based navigation
web_fetch against the same host succeeds in the same session, so general network access is functional. openclaw config get browser returns:
{
"executablePath": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
"defaultProfile": "openclaw"
}
env | grep -i -E 'openclaw|ssrf|browser' returns no matches. openclaw doctor reports no browser or security warnings. The error is identical on 2026.4.10, 2026.4.11, and 2026.4.12, and persists after switching defaultProfile from user to openclaw and restarting the gateway.
OpenClaw version
2026.4.12 (769908e)
Operating system
macOS 15.7
Install method
npm install
Model
openai-codex/gpt-5.4
Provider / routing chain
openclaw > OpenAI
Additional provider/model setup details
Logs, screenshots, and evidence
Impact and severity
- Affected users/systems/channels: The browser tool on this installation (macOS, OpenClaw 2026.4.12, managed
openclaw profile).
- Severity: Blocks workflow. The browser tool cannot navigate to any public hostname.
- Frequency: Always. The error reproduces on every browser tool navigation attempt and persists across 2026.4.10, 2026.4.11, and 2026.4.12.
- Consequence: The browser tool is unusable for its intended purpose on this installation.
web_fetch still works, so read-only page retrieval is possible, but any workflow requiring interactive browser navigation is blocked.
Additional information
No response
Bug type
Regression (worked before, now fails)
Beta release blocker
No
Summary
After upgrading to 2026.4.10, the browser tool rejects all hostname-based navigation with a strict SSRF policy error, and the behavior persists through 2026.4.11 and 2026.4.12.
Steps to reproduce
browser.defaultProfileset toopenclawand nobrowser.ssrfPolicyconfigured.Expected behavior
The browser tool navigates to the requested public hostname. Prior to 2026.4.10, browser tool navigation to public hostnames worked under the same config.
Actual behavior
The browser tool returns the following error and does not navigate:
Navigation blocked: strict browser SSRF policy requires an IP-literal URL because browser DNS rebinding protections are unavailable for hostname-based navigationweb_fetchagainst the same host succeeds in the same session, so general network access is functional.openclaw config get browserreturns:{
"executablePath": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
"defaultProfile": "openclaw"
}
env | grep -i -E 'openclaw|ssrf|browser'returns no matches.openclaw doctorreports no browser or security warnings. The error is identical on 2026.4.10, 2026.4.11, and 2026.4.12, and persists after switchingdefaultProfilefromusertoopenclawand restarting the gateway.OpenClaw version
2026.4.12 (769908e)
Operating system
macOS 15.7
Install method
npm install
Model
openai-codex/gpt-5.4
Provider / routing chain
openclaw > OpenAI
Additional provider/model setup details
Logs, screenshots, and evidence
Impact and severity
openclawprofile).web_fetchstill works, so read-only page retrieval is possible, but any workflow requiring interactive browser navigation is blocked.Additional information
No response