CVE-2026-43576 Overview
CVE-2026-43576 is a Server-Side Request Forgery (SSRF) vulnerability in OpenClaw versions before 2026.4.5. The flaw resides in the Chrome DevTools Protocol (CDP) /json/version WebSocket endpoint, where the webSocketDebuggerUrl response field is not properly validated. Attackers with low privileges can manipulate the response to redirect WebSocket connections to arbitrary second-hop targets. This enables pivoting from a trusted CDP endpoint to untrusted internal hosts, bypassing network segmentation controls. The vulnerability is tracked under CWE-601 (URL Redirection to Untrusted Site).
Critical Impact
Attackers can pivot from a trusted CDP endpoint to arbitrary internal hosts via WebSocket redirection, exposing internal services to SSRF-style probing.
Affected Products
- OpenClaw versions before 2026.4.5
- OpenClaw browser extension CDP integration (extensions/browser/src/browser/cdp.ts)
- Deployments exposing the CDP /json/version discovery endpoint
Discovery Timeline
- 2026-05-06 - CVE-2026-43576 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43576
Vulnerability Analysis
The vulnerability exists in OpenClaw's CDP client logic, which performs endpoint discovery against the /json/version HTTP(S) route. This endpoint returns a JSON document containing a webSocketDebuggerUrl field that the client subsequently connects to. OpenClaw treats this returned URL as trusted without validating its host or scheme against an allowlist.
An attacker controlling the first-hop CDP server, or able to influence its response, can craft a webSocketDebuggerUrl pointing to an arbitrary internal target. The OpenClaw client then opens a WebSocket connection to that second-hop destination, sending requests on behalf of the host. This pattern matches classic SSRF behavior, with the additional twist that the redirection happens at the protocol-discovery layer rather than via HTTP redirects.
Root Cause
The root cause is missing validation of the webSocketDebuggerUrl field returned from /json/version discovery. The CDP client accepts any URL the server provides, including URLs pointing to hosts other than the originally configured CDP endpoint.
Attack Vector
The attack requires network access to OpenClaw and low-level privileges to trigger CDP discovery. The attacker either operates a malicious CDP server or compromises the response from a legitimate one. The patch in commit bc356cc8c2beaa747c71dd86cceab8f804699665 adds an assertCdpEndpointAllowed check that validates the resolved WebSocket URL against an SSRF policy before connection.
let wsUrl: string;
if (isWebSocketUrl(opts.cdpUrl)) {
// Direct WebSocket URL — skip /json/version discovery.
+ await assertCdpEndpointAllowed(opts.cdpUrl, opts.ssrfPolicy);
wsUrl = opts.cdpUrl;
} else {
// Standard HTTP(S) CDP endpoint — discover WebSocket URL via /json/version.
Source: OpenClaw GitHub Commit bc356cc
The patch hardens direct CDP WebSocket validation by enforcing the configured ssrfPolicy before establishing the connection, blocking redirection to disallowed hosts.
Detection Methods for CVE-2026-43576
Indicators of Compromise
- Outbound WebSocket connections from OpenClaw processes to internal IP ranges (RFC1918) not associated with configured CDP endpoints.
- HTTP responses from /json/version endpoints containing webSocketDebuggerUrl values pointing to unexpected hostnames or non-loopback addresses.
- OpenClaw log entries showing CDP connections to hosts that differ from the originally configured cdpUrl.
Detection Strategies
- Inspect proxy and network telemetry for WebSocket upgrade requests originating from OpenClaw to hosts outside an approved allowlist.
- Correlate CDP discovery requests with subsequent WebSocket destinations to identify host mismatches indicative of redirection.
- Audit OpenClaw configurations to confirm the ssrfPolicy option is set and enforced on all CDP integrations.
Monitoring Recommendations
- Monitor egress traffic from OpenClaw hosts for connections to internal management interfaces, metadata services, or loopback ports.
- Alert on OpenClaw versions below 2026.4.5 discovered through software inventory scans.
- Track changes to CDP endpoint configuration files and environment variables that influence cdpUrl resolution.
How to Mitigate CVE-2026-43576
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.5 or later, which contains the validated assertCdpEndpointAllowed check.
- Restrict network egress from hosts running OpenClaw so they cannot reach internal management interfaces or cloud metadata endpoints.
- Audit existing CDP endpoint configurations and remove any pointing to untrusted or third-party hosts.
Patch Information
The fix is delivered in OpenClaw 2026.4.5 via commit bc356cc8c2beaa747c71dd86cceab8f804699665. Refer to the OpenClaw GitHub Security Advisory GHSA-f7fh-qg34-x2xh and the VulnCheck SSRF Advisory for full details.
Workarounds
- Configure an explicit ssrfPolicy allowlist limiting CDP WebSocket destinations to known, trusted hosts.
- Run OpenClaw in a network namespace or container with egress firewall rules blocking access to internal subnets and metadata services.
- Disable CDP integration entirely on deployments that do not require browser automation features.
# Verify installed OpenClaw version and upgrade
npm ls openclaw
npm install openclaw@2026.4.5
# Example egress restriction (Linux iptables) for OpenClaw host
iptables -A OUTPUT -d 169.254.169.254 -j DROP # block cloud metadata
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP # block internal RFC1918
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
