CVE-2026-42439

HighPublic PoC

Published: 05 May 2026

Published

05 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0003 7.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on the /tabs/action endpoint to prevent low-privileged users from bypassing SSRF policies and performing unauthorized tab navigation.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies to ensure SSRF protections are not bypassed during browser tab select and close operations.

AC-6 Least Privilege partial match

prevent

Restricts privileges of low-privileged users to exclude unauthorized access to tab navigation functions that bypass SSRF policies.

Security SummaryAI

CVE-2026-42439 is a server-side request forgery (SSRF) policy bypass vulnerability in OpenClaw versions before 2026.4.10. The flaw affects the browser tabs action select and close routes, specifically the /tabs/action endpoint, where attackers can bypass configured browser SSRF policy protections to perform unauthorized tab navigation operations. Published on 2026-05-05, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-862 (Missing Authorization).

The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows attackers to circumvent SSRF policy safeguards, enabling unauthorized tab navigation operations that result in high confidentiality impact (C:H) within a changed scope (S:C), with low integrity impact (I:L) and no availability impact (A:N).

Mitigation details are available in the OpenClaw GitHub security advisory (GHSA-rj2p-j66c-mgqh) and the fixing commit (48c0347921b7e9438af0312968fc360ca88023f3), which resolve the issue in version 2026.4.10. VulnCheck also issued an advisory documenting the SSRF policy bypass in the browser tabs action routes. Security practitioners should upgrade to OpenClaw 2026.4.10 or later to address the vulnerability.

Details

CWE(s): CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF policy bypass in a network-accessible web application endpoint directly maps to exploitation of public-facing applications for unauthorized actions and high-impact data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes
disclosure@vulncheck.com