top of page
perceptive_background_267k.jpg

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can b…

Published:

4 May 2026 at 22:00:00

Alert date:

5 May 2026 at 13:07:56

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

OpenClaw before version 2026.4.10 contains a server-side request forgery (SSRF) policy bypass vulnerability in the browser tabs action select and close routes. Attackers can exploit the /tabs/action endpoint to bypass configured browser SSRF policy protections and perform unauthorized tab navigation operations. This vulnerability allows attackers to circumvent security controls designed to prevent SSRF attacks. The issue affects the tab management functionality of the OpenClaw application. Users should upgrade to version 2026.4.10 or later to mitigate this vulnerability.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-42439
https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3
https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh
https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page