Cyber Resilience

CVE-2026-42436

MediumPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 4.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.6th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42436 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-42436 is an improper access control vulnerability (CWE-862) affecting OpenClaw versions prior to 2026.4.14. The issue resides in the browser snapshot, screenshot, and tab routes, which fail to consistently validate the final browser target after navigation. This allows authenticated callers to bypass Server-Side Request Forgery (SSRF) restrictions, exposing internal or disallowed page content through route-driven navigation without proper policy re-validation. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the affected routes, they can manipulate navigation to reach internal services or restricted pages that would otherwise be blocked by SSRF protections, resulting in unauthorized exposure of sensitive content.

Mitigation is addressed in the OpenClaw GitHub security advisory (GHSA-c4qm-58hj-j6pj) and a fixing commit (b75ad800a59009fc47eaa3471410f69046150e59). Practitioners should upgrade to OpenClaw 2026.4.14 or later, as detailed in the advisory. Additional analysis is available in the VulnCheck advisory on internal page content exposure via these routes.

EU & UK References

Vulnerability details

OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content…

more

by exploiting route-driven navigation without proper policy re-validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an SSRF bypass in a public-facing web application (OpenClaw browser routes) due to missing authorization checks after navigation. This directly enables attackers to exploit the public-facing app to reach internal/restricted resources, mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent authenticated users from bypassing access controls and accessing internal or disallowed browser targets after navigation.

prevent

Enforces information flow policies to block unauthorized SSRF requests to internal services or restricted pages via browser snapshot, screenshot, and tab routes.

prevent

Monitors and controls communications at system boundaries to mitigate SSRF exploitation through route-driven navigation lacking target re-validation.

References