CVE-2026-43573

HIGH WAF: Medium

CVSS 7.7 Published: 2026-05-05

CWE-862 CWE-918 CWE-918

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

WAF Coverage Analysis

Missing Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Server-Side Request Forgery (SSRF) Medium WAF Coverage

OWASP: A10:2021 SSRF

934xxx - Node.js / Generic Injection

Server-Side Request Forgery (SSRF) Medium WAF Coverage

OWASP: A10:2021 SSRF

934xxx - Node.js / Generic Injection

Affected Software

Vendor	Product	Version
openclaw	openclaw	up to 2026.4.10

References

github.com (Patch)
github.com (Vendor Advisory)
www.vulncheck.com (Third Party Advisory)

Back to CVE Database