OpenClaw Server-Side Request Forgery Policy Bypass (CVE-2026-42439)
The National Vulnerability Database has disclosed CVE-2026-42439, a high-severity server-side request forgery (SSRF) policy bypass vulnerability in OpenClaw prior to version 2026.4.10. This flaw, rated 8.5 CVSS, allows attackers to circumvent configured browser SSRF policy protections.
Specifically, the vulnerability resides in the browser tabs action select and close routes. Attackers can exploit the /tabs/action endpoint to perform unauthorized tab navigation operations, effectively bypassing security controls designed to prevent malicious requests from the server.
This is a critical issue for any organization utilizing OpenClaw. An attacker successfully exploiting this could pivot from a seemingly benign request to access internal resources or conduct further reconnaissance, making this a prime target for initial access or privilege escalation within a network. Defenders must prioritize patching.
What This Means For You
- If your organization uses OpenClaw, immediately assess your version. Patch to OpenClaw 2026.4.10 or later without delay. Review your network logs for any suspicious activity related to `/tabs/action` endpoints or unusual outbound connections from OpenClaw instances.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
OpenClaw SSRF Policy Bypass via /tabs/action - CVE-2026-42439
title: OpenClaw SSRF Policy Bypass via /tabs/action - CVE-2026-42439
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit the CVE-2026-42439 vulnerability in OpenClaw by targeting the /tabs/action endpoint via a POST request. This specific path is known to be vulnerable to SSRF policy bypass, allowing attackers to perform unauthorized navigation operations.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42439/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/tabs/action'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42439 | SSRF | OpenClaw |
| CVE-2026-42439 | SSRF | OpenClaw versions prior to 2026.4.10 |
| CVE-2026-42439 | SSRF | Vulnerable endpoint: /tabs/action |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed
CVE-2026-7833 — A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of...
IObit Advanced SystemCare 19: High-Severity Symlink Following Vulnerability (CVE-2026-7832)
CVE-2026-7832 — A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component...
CVE-2026-30246 — Fiber is a web framework for Go. In
CVE-2026-30246 — Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the...