Skip to content
CVSS 8.5 · HIGH

CVE-2026-42439

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.

Ver en NVD

Análisis

OpenClaw is a niche open-source game engine reimplementation for a 1990s platformer. While the SSRF vulnerability is rated as High severity, the product is not part of the standard web, mobile, or backend developer stack and has no significant deployment in enterprise or infrastructure environments.

Severidad

Puntaje: 8.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: CHANGED
C: HIGH
I: LOW
A: NONE
Tipo de falla (CWE): CWE-862CWE-918

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 7.5%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.

Publicada: 5/5/2026, 12:16:18
Última modificación: 7/5/2026, 1:59:18

Referencias

InicioEventosBlogRecursosEquipo