CVE-2026-43580

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10

Description An incomplete navigation guard allows attackers to trigger navigation without full Server-Side Request Forgery (SSRF) policy enforcement. SSRF is a flaw where an attacker can force a server to make requests to an unintended location. Browser press/type style interactions, specifically pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.

Recommendations Update to version 2026.4.10.

Fix

Missing Authorization

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-918

Related Identifiers

CVE-2026-43580

GHSA-536Q-MJ95-H29H

GHSA-WWWC-F646-VJ2J

Affected Products

Openclaw

CVE-2026-43580

Weakness Enumeration

Related Identifiers

Affected Products

References · 13