Cyber Resilience

CVE-2026-42439

MediumPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 4.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-42439 is a medium-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-42439 is a server-side request forgery (SSRF) policy bypass vulnerability in OpenClaw versions before 2026.4.10. The flaw affects the browser tabs action select and close routes, specifically the /tabs/action endpoint, where attackers can bypass configured browser SSRF policy protections to perform unauthorized tab navigation operations. Published on 2026-05-05, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and is associated with CWE-862 (Missing Authorization).

The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows attackers to circumvent SSRF policy safeguards, enabling unauthorized tab navigation operations that result in high confidentiality impact (C:H) within a changed scope (S:C), with low integrity impact (I:L) and no availability impact (A:N).

Mitigation details are available in the OpenClaw GitHub security advisory (GHSA-rj2p-j66c-mgqh) and the fixing commit (48c0347921b7e9438af0312968fc360ca88023f3), which resolve the issue in version 2026.4.10. VulnCheck also issued an advisory documenting the SSRF policy bypass in the browser tabs action routes. Security practitioners should upgrade to OpenClaw 2026.4.10 or later to address the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF policy bypass in a network-accessible web application endpoint directly maps to exploitation of public-facing applications for unauthorized actions and high-impact data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43573Same product: Openclaw Openclaw
CVE-2026-35629Same product: Openclaw Openclaw
CVE-2026-41912Same product: Openclaw Openclaw
CVE-2026-43580Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-6011Same product: Openclaw Openclaw
CVE-2026-22181Same product: Openclaw Openclaw
CVE-2026-28476Same product: Openclaw Openclaw
CVE-2026-41914Same product: Openclaw Openclaw
CVE-2026-41394Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the /tabs/action endpoint to prevent low-privileged users from bypassing SSRF policies and performing unauthorized tab navigation.

prevent

Enforces information flow control policies to ensure SSRF protections are not bypassed during browser tab select and close operations.

prevent

Restricts privileges of low-privileged users to exclude unauthorized access to tab navigation functions that bypass SSRF policies.

References