Skip to content
CVSS 7.7 · HIGH

CVE-2026-43576

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.

Ver en NVD

Análisis

OpenClaw is a niche software project, likely an open-source game engine reimplementation, which is not part of the standard web or mobile development stack. While the SSRF vulnerability in the WebSocket endpoint is high severity, the software lacks the widespread deployment necessary to impact the general MexicoDev community.

Severidad

Puntaje: 7.7(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Tipo de falla (CWE): CWE-601CWE-918

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.

Publicada: 6/5/2026, 20:16:33
Última modificación: 6/5/2026, 21:21:14

Referencias

InicioEventosBlogRecursosEquipo