CVE-2026-42436
Published: 05 May 2026
Summary
CVE-2026-42436 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-42436 is an improper access control vulnerability (CWE-862) affecting OpenClaw versions prior to 2026.4.14. The issue resides in the browser snapshot, screenshot, and tab routes, which fail to consistently validate the final browser target after navigation. This allows authenticated callers to bypass Server-Side Request Forgery (SSRF) restrictions, exposing internal or disallowed page content through route-driven navigation without proper policy re-validation. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the affected routes, they can manipulate navigation to reach internal services or restricted pages that would otherwise be blocked by SSRF protections, resulting in unauthorized exposure of sensitive content.
Mitigation is addressed in the OpenClaw GitHub security advisory (GHSA-c4qm-58hj-j6pj) and a fixing commit (b75ad800a59009fc47eaa3471410f69046150e59). Practitioners should upgrade to OpenClaw 2026.4.14 or later, as detailed in the advisory. Additional analysis is available in the VulnCheck advisory on internal page content exposure via these routes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27255
Vulnerability details
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content…
more
by exploiting route-driven navigation without proper policy re-validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an SSRF bypass in a public-facing web application (OpenClaw browser routes) due to missing authorization checks after navigation. This directly enables attackers to exploit the public-facing app to reach internal/restricted resources, mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent authenticated users from bypassing access controls and accessing internal or disallowed browser targets after navigation.
Enforces information flow policies to block unauthorized SSRF requests to internal services or restricted pages via browser snapshot, screenshot, and tab routes.
Monitors and controls communications at system boundaries to mitigate SSRF exploitation through route-driven navigation lacking target re-validation.