Cyber Posture

CVE-2026-43573

HighPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0003 7.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-7 Boundary Protection
addresses: CWE-862 CWE-918

Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries.

AC-1 Policy and Procedures
addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

AC-13 Supervision and Review — Access Control
addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

AC-14 Permitted Actions Without Identification or Authentication
addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

AC-16 Security and Privacy Attributes
addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

AC-17 Remote Access
addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

AC-18 Wireless Access
addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

AC-19 Access Control for Mobile Devices
addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

Security SummaryAI

CVE-2026-43573, published on 2026-05-05, affects OpenClaw versions before 2026.4.10. The vulnerability is a server-side request forgery (SSRF) policy bypass in existing-session browser interaction routes, allowing attackers to circumvent SSRF navigation guards and interact with or navigate to unauthorized targets without policy enforcement. It is linked to CWE-862 (Missing Authorization) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

Low-privileged users (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and enables high confidentiality impact (C:H), permitting access to sensitive or unauthorized internal resources through bypassed policy controls.

Mitigation is available in OpenClaw 2026.4.10. The fixing commit is at https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a, with advisories published at https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79 and https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes.

Details

CWE(s)
CWE-862CWE-918

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SSRF policy bypass in public-facing web application (OpenClaw) directly enables initial access via exploitation of a public-facing app vulnerability (CWE-918 + CWE-862).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References