CVE-2026-42184 Overview
CVE-2026-42184 affects the Tauri framework, used to build desktop binaries across major operating systems. Versions from 2.0 through 2.11.0 contain a flaw in the is_local_url() function that incorrectly classifies remote URLs as trusted local origins on Windows and Android. On these platforms, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because the underlying WebView implementations cannot serve custom schemes directly. The origin check only inspects the first subdomain of the URL, allowing an attacker-controlled domain whose subdomain matches the application's custom scheme to be treated as a trusted local origin. The issue is resolved in Tauri 2.10.3. The weakness is tracked as [CWE-918] Server-Side Request Forgery.
Critical Impact
An attacker who lures a user to a malicious page whose subdomain matches a Tauri application's custom scheme can have their remote content treated as a trusted local origin, undermining the integrity boundary between the WebView and the application backend.
Affected Products
- Tauri framework versions 2.0 through 2.11.0
- Tauri applications running on Windows
- Tauri applications running on Android
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-42184 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42184
Vulnerability Analysis
Tauri exposes application resources to its embedded WebView through custom URI schemes. On Windows and Android, WebView2 and the Android WebView cannot serve arbitrary custom schemes, so Tauri rewrites them to http://<scheme>.localhost/. Internal logic uses the is_local_url() function to decide whether a given origin should be trusted as part of the application's own local context.
The function inspects only the first subdomain label of the URL when deciding locality. An origin of the form http://<scheme>.attacker.tld/ therefore satisfies the same first-label check that http://<scheme>.localhost/ satisfies. The check does not validate the registrable domain or confirm that the host resolves to a loopback address.
Because the trust decision controls origin-based behavior inside the WebView, content served from an attacker-controlled domain can be evaluated as if it were the application's own local origin. The vulnerability maps to [CWE-918] because the flawed origin check enables the application to treat server-controlled URLs as internal.
Root Cause
The root cause is incomplete origin validation in is_local_url(). The function compares only the leftmost DNS label against the expected custom scheme name. It does not enforce that the second-level domain is localhost or that the host belongs to a loopback range.
Attack Vector
An attacker registers or controls a domain such as attacker.tld and configures a subdomain matching a target Tauri application's custom scheme, for example myapp.attacker.tld. The attacker then induces the user to load that URL inside a context reachable by the Tauri WebView. Tauri's origin check returns true, granting the remote page the trust level reserved for local content. The attack requires user interaction and network reachability, and exploitation is constrained by the need to know the target application's custom scheme name.
No verified public proof-of-concept code is available. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-42184
Indicators of Compromise
- Outbound DNS or HTTP requests from Tauri application processes to hosts shaped like <customscheme>.<external-domain> rather than <customscheme>.localhost.
- WebView navigation events referencing non-loopback hosts whose leftmost label matches a known application custom scheme.
- Unexpected cross-origin resource loads inside a Tauri WebView coinciding with user clicks on external links.
Detection Strategies
- Inventory installed Tauri applications and identify those built with versions 2.0 through 2.11.0 by inspecting binary metadata and bundled tauri.conf.json files.
- Inspect network telemetry for HTTP requests where the host pattern *.<scheme> resolves to a public IP address rather than 127.0.0.1.
- Hunt for browser process telemetry showing WebView2 or Android WebView navigating to subdomains matching internal application scheme names.
Monitoring Recommendations
- Enable DNS query logging on endpoints running Tauri applications and alert on resolutions of subdomains matching known custom scheme labels.
- Correlate process execution telemetry with outbound network connections from Tauri-built binaries on Windows endpoints.
- Review mobile device management logs on Android fleets for installed apps still shipping vulnerable Tauri runtimes.
How to Mitigate CVE-2026-42184
Immediate Actions Required
- Upgrade all Tauri-based applications to version 2.10.3 or later and redistribute updated builds to users.
- Identify applications in your environment built on Tauri 2.0 through 2.11.0 and prioritize patching those running on Windows and Android.
- Restrict outbound navigation from Tauri WebViews to known-good origins through application allowlists where supported.
Patch Information
The issue is fixed in Tauri 2.10.3. Application developers must rebuild their projects against the patched framework version and ship updated binaries to end users. Refer to the GitHub Security Advisory GHSA-7gmj-67g7-phm9 for the official fix details.
Workarounds
- Avoid common or guessable custom scheme names in tauri.conf.json to raise the cost of attacker reconnaissance until patching is complete.
- Constrain WebView navigation using the Tauri Content Security Policy configuration to deny external hosts.
- Educate users to avoid following untrusted links rendered inside affected desktop or mobile applications.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
