CVE-2026-43573 Overview
CVE-2026-43573 is a Server-Side Request Forgery (SSRF) policy bypass vulnerability in OpenClaw versions before 2026.4.10. The flaw exists in existing-session browser interaction routes, where SSRF navigation guards fail to enforce policy on already-established browser sessions. Authenticated attackers can bypass these guards to interact with or navigate to unauthorized internal or external targets without policy enforcement. The vulnerability is tracked under [CWE-862] (Missing Authorization) and [CWE-918] (SSRF). OpenClaw is distributed as a Node.js package, making this issue relevant to automation pipelines and headless browser orchestration deployments.
Critical Impact
Authenticated attackers can bypass SSRF navigation policy controls on existing browser sessions, enabling interaction with restricted internal network resources or unauthorized destinations.
Affected Products
- OpenClaw (openclaw:openclaw) versions before 2026.4.10
- OpenClaw Node.js package distribution
- Deployments using existing-session browser interaction routes
Discovery Timeline
- 2026-05-05 - CVE-2026-43573 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43573
Vulnerability Analysis
OpenClaw exposes browser interaction routes that operate against existing browser sessions. These routes are protected by SSRF navigation guards intended to restrict which URLs and hosts the browser can interact with. The guards are not consistently applied to interactions that occur within already-established sessions. This omission allows authenticated callers to direct the underlying browser to fetch or navigate to destinations the policy was designed to block. Attackers can leverage the bypass to reach internal-only services, cloud metadata endpoints, or other restricted hosts reachable from the OpenClaw server.
Root Cause
The root cause is missing authorization enforcement on session-bound navigation actions, classified as [CWE-862] in combination with [CWE-918]. Policy checks designed to validate destination URLs are applied at session creation but skipped on follow-up interaction handlers. This inconsistent enforcement allows session reuse to circumvent the SSRF allowlist or denylist logic. The patch in commit daeb74920d5ad986cb600625180037e23221e93a reapplies the navigation guards across the affected interaction routes.
Attack Vector
Exploitation requires network access to the OpenClaw service and low-privileged authenticated access (PR:L). The attacker initiates a legitimate browser session, then issues a follow-up interaction or navigation request to a restricted target. Because the navigation guard is bypassed on the existing-session route, the request is honored. The impact is scoped primarily to subsequent system confidentiality (SC:H), where the attacker can reach internal endpoints, retrieve cloud instance metadata, or pivot to backend services not intended to be exposed. No direct integrity or availability impact is recorded against the vulnerable component.
No public proof-of-concept exploit code is available. See the VulnCheck Advisory on SSRF for additional technical context.
Detection Methods for CVE-2026-43573
Indicators of Compromise
- Outbound HTTP requests from the OpenClaw host to internal RFC1918 addresses or cloud metadata endpoints such as 169.254.169.254.
- Repeated authenticated requests to existing-session browser interaction routes targeting non-allowlisted hostnames.
- Browser session navigation events to URLs that would normally be rejected by the SSRF policy at session creation.
Detection Strategies
- Compare destinations seen in session-bound navigation handlers against the policy applied at session-creation time and alert on divergence.
- Inspect application logs for navigation or interaction calls that succeed against hosts outside the configured SSRF allowlist.
- Run software composition analysis to identify OpenClaw deployments below version 2026.4.10.
Monitoring Recommendations
- Enable egress logging on hosts running OpenClaw and forward records to a centralized analytics platform.
- Alert on connections from OpenClaw service accounts to link-local, loopback, or internal management ranges.
- Track authenticated API usage patterns and flag accounts that issue unusually broad navigation targets within a single session.
How to Mitigate CVE-2026-43573
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which contains the fix in commit daeb74920d5ad986cb600625180037e23221e93a.
- Audit existing browser session logs for prior navigation to unauthorized internal targets.
- Restrict who can authenticate to OpenClaw interaction routes by enforcing least-privilege on API tokens and accounts.
Patch Information
The vendor fix is published in the GitHub Security Advisory GHSA-527m-976r-jf79 and applied in the GitHub Commit Update. Upgrade openclaw to 2026.4.10 or later via your Node.js package manager. Verify the installed version after upgrade and redeploy any container images that bundle the package.
Workarounds
- Place OpenClaw behind an egress proxy that enforces an independent allowlist of permitted destination hosts.
- Use network segmentation and host-based firewall rules to block OpenClaw service accounts from reaching internal management interfaces and cloud metadata endpoints.
- Disable existing-session browser interaction routes in deployments that do not require them until the upgrade is applied.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.10
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
