PT-2026-38237 · Openclaw · Openclaw

Dhyabi2

Published

2026-04-17

Updated

2026-05-07

CVE-2026-43582

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10

Description A server-side request forgery issue exists in the browser navigation policy. This allows attackers to bypass hostname validation using DNS rebinding attacks, which involve exploiting inconsistent hostname resolution between the validation phase and the actual network request. Consequently, attackers can pivot to internal resources by using URLs with hostnames that are not on the allowlist.

Recommendations Update to version 2026.4.10.

Fix

SSRF

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-350CWE-918CWE-367

Related Identifiers

CVE-2026-43582

GHSA-W7RC-VVGX-PJ45

GHSA-XQ94-R468-QWGJ

Affected Products

Openclaw

PT-2026-38237 · Openclaw · Openclaw

CVE-2026-43582

Weakness Enumeration

Related Identifiers

Affected Products

References · 10