openclaw - 💡(How to fix) Fix [Bug]: xAI image_generate blocked by SSRF — resolveAllowPrivateNetwork hardcoded to false in extensions/xai/image-generation-provider.ts

OpenClaw version

• v2026.5.18 (latest stable)
• v2026.5.19-beta.2 (latest beta)

Both affected.

What I'm trying to do

Use xAI image generation (grok-imagine-image / grok-imagine-image-quality) through a private-network gateway. We have a multi-tenant proxy at 10.0.0.10:8090 that translates a per-tenant proxy token into the SuperGrok OAuth access_token of a shared account (avoids needing one API key per tenant). The same gateway works perfectly for chat and for OpenAI image generation.

Relevant openclaw.json (per-tenant):

{
  "models": {
    "providers": {
      "xai": {
        "baseUrl": "http://10.0.0.10:8090/xai/v1",
        "apiKey": "clawsaas-tenant-<token>",
        "api": "openai-completions",
        "request": { "allowPrivateNetwork": true }
      }
    }
  },
  "browser": {
    "ssrfPolicy": { "dangerouslyAllowPrivateNetwork": true }
  },
  "plugins": { "entries": { "xai": { "enabled": true } } },
  "agents": {
    "defaults": {
      "imageGenerationModel": { "primary": "xai/grok-imagine-image" }
    }
  }
}

Chat works through the same baseUrl. Image generation does not.

What happens

[security] blocked URL fetch (url-fetch) targetOrigin=http://10.0.0.10:8090
  reason=Blocked hostname or private/internal/special-use IP address
[image-generation] candidate failed: xai/grok-imagine-image: Blocked hostname or private/internal/special-use IP address
[tools] image_generate failed: All image generation models failed (1):
  xai/grok-imagine-image: Blocked hostname or private/internal/special-use IP address

No browser.ssrfPolicy or request.allowPrivateNetwork setting changes the behavior. SSRF guard fires regardless.

Root cause

extensions/xai/image-generation-provider.ts (current main):

export function buildXaiImageGenerationProvider(): ImageGenerationProvider {
  return createOpenAiCompatibleImageGenerationProvider({
    id: "xai",
    ...
    defaultBaseUrl: XAI_BASE_URL,
    resolveBaseUrl: ({ req }) => resolveXaiImageBaseUrl(req),
    resolveAllowPrivateNetwork: () => false,   // ← hardcoded, ignores all config
    ...
  });
}

This is asymmetric with extensions/openai/image-generation-provider.ts, which uses (and was fixed in #63095):

allowPrivateNetwork: shouldAllowPrivateImageEndpoint(req),

where shouldAllowPrivateImageEndpoint consults cfg.browser.ssrfPolicy.

Expected behavior

Same as OpenAI image_generate after #63095: when the user opts in via browser.ssrfPolicy.dangerouslyAllowPrivateNetwork=true (or via models.providers.xai.request.allowPrivateNetwork=true), the xAI image provider should allow a private-network base URL.

Suggested fix

Replace the hardcoded false with the same logic OpenAI uses:

resolveAllowPrivateNetwork: ({ req }) =>
  isPrivateNetworkOptInEnabled(req.cfg?.browser?.ssrfPolicy) ||
  Boolean(req.cfg?.models?.providers?.xai?.request?.allowPrivateNetwork),

Same one-line change applies to other OpenAI-compatible image providers using createOpenAiCompatibleImageGenerationProvider with resolveAllowPrivateNetwork: () => false (fal/minimax/byteplus/together/etc.). PR #63255 tried to do this globally but was closed without merge; this issue is scoped specifically to xAI.

Workaround

Use openai/gpt-image-1 as primary instead — works because #63095 fixed it for OpenAI. Defeats the purpose of leveraging the SuperGrok subscription image quota (free vs $0.04/img).

Related

• #63095 (merged): the analogous OpenAI fix
• #63255 (closed without merge): the broader media-providers SSRF feature
• #62879, #67216 (closed): per-provider variants of the same bug
• #77922 (open): same problem reported for Comfy plugin

Happy to send a PR with the one-line change if helpful.