CVE-2026-42436
Published: 05 May 2026
Description
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content…
more
by exploiting route-driven navigation without proper policy re-validation.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
Security SummaryAI
CVE-2026-42436 is an improper access control vulnerability (CWE-862) affecting OpenClaw versions prior to 2026.4.14. The issue resides in the browser snapshot, screenshot, and tab routes, which fail to consistently validate the final browser target after navigation. This allows authenticated callers to bypass Server-Side Request Forgery (SSRF) restrictions, exposing internal or disallowed page content through route-driven navigation without proper policy re-validation. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the affected routes, they can manipulate navigation to reach internal services or restricted pages that would otherwise be blocked by SSRF protections, resulting in unauthorized exposure of sensitive content.
Mitigation is addressed in the OpenClaw GitHub security advisory (GHSA-c4qm-58hj-j6pj) and a fixing commit (b75ad800a59009fc47eaa3471410f69046150e59). Practitioners should upgrade to OpenClaw 2026.4.14 or later, as detailed in the advisory. Additional analysis is available in the VulnCheck advisory on internal page content exposure via these routes.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an SSRF bypass in a public-facing web application (OpenClaw browser routes) due to missing authorization checks after navigation. This directly enables attackers to exploit the public-facing app to reach internal/restricted resources, mapping to T1190.