CVE-2026-43580
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.
Ver en NVDAnálisis
OpenClaw is an open-source recreation of a retro game engine, which is not a common component in the professional web or mobile development stacks used by the community. While the SSRF policy bypass is a high-severity issue, the extremely niche nature of this specific software means it does not warrant a broad alert to systems administrators or developers.
Severidad
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NCWE-862EPSS
Sin puntaje EPSS aún (CVE muy reciente).
Descripción técnica
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.
Referencias
- https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe
- https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3
- https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894
- https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h
- https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions