CVE-2026-42439
Published: 05 May 2026
Summary
CVE-2026-42439 is a high-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the /tabs/action endpoint to prevent low-privileged users from bypassing SSRF policies and performing unauthorized tab navigation.
Enforces information flow control policies to ensure SSRF protections are not bypassed during browser tab select and close operations.
Restricts privileges of low-privileged users to exclude unauthorized access to tab navigation functions that bypass SSRF policies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF policy bypass in a network-accessible web application endpoint directly maps to exploitation of public-facing applications for unauthorized actions and high-impact data access.
NVD Description
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.
Deeper analysisAI
CVE-2026-42439 is a server-side request forgery (SSRF) policy bypass vulnerability in OpenClaw versions before 2026.4.10. The flaw affects the browser tabs action select and close routes, specifically the /tabs/action endpoint, where attackers can bypass configured browser SSRF policy protections to perform unauthorized tab navigation operations. Published on 2026-05-05, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-862 (Missing Authorization).
The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows attackers to circumvent SSRF policy safeguards, enabling unauthorized tab navigation operations that result in high confidentiality impact (C:H) within a changed scope (S:C), with low integrity impact (I:L) and no availability impact (A:N).
Mitigation details are available in the OpenClaw GitHub security advisory (GHSA-rj2p-j66c-mgqh) and the fixing commit (48c0347921b7e9438af0312968fc360ca88023f3), which resolve the issue in version 2026.4.10. VulnCheck also issued an advisory documenting the SSRF policy bypass in the browser tabs action routes. Security practitioners should upgrade to OpenClaw 2026.4.10 or later to address the vulnerability.
Details
- CWE(s)