CVE-2026-43573
Published: 05 May 2026
Summary
CVE-2026-43573 is a high-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-4 enforces approved information flow control policies to prevent server-side requests to unauthorized internal targets, directly mitigating the SSRF policy bypass.
AC-3 requires enforcement of access authorizations in browser interaction routes, addressing the missing authorization that allows low-privileged users to bypass SSRF navigation guards.
SI-10 validates information inputs to existing-session routes, blocking malicious or unauthorized targets that enable SSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF policy bypass in public-facing web application (OpenClaw) directly enables initial access via exploitation of a public-facing app vulnerability (CWE-918 + CWE-862).
NVD Description
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.
Deeper analysisAI
CVE-2026-43573, published on 2026-05-05, affects OpenClaw versions before 2026.4.10. The vulnerability is a server-side request forgery (SSRF) policy bypass in existing-session browser interaction routes, allowing attackers to circumvent SSRF navigation guards and interact with or navigate to unauthorized targets without policy enforcement. It is linked to CWE-862 (Missing Authorization) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Low-privileged users (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and enables high confidentiality impact (C:H), permitting access to sensitive or unauthorized internal resources through bypassed policy controls.
Mitigation is available in OpenClaw 2026.4.10. The fixing commit is at https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a, with advisories published at https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79 and https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes.
Details
- CWE(s)