CVE-2026-35673
Description
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug/export routes, allowing reuse of blocked tabs to access private-network resources.
Vulnerability
OpenClaw versions before 2026.4.29 contain an SSRF policy bypass vulnerability in the browser debug and export routes [1], [2]. The feature allows reuse of already-open blocked tabs without reapplying the expected private-network SSRF policy, enabling bypass of access controls intended to protect private-network resources [1].
Exploitation
An attacker must have access to the browser debug/export routes and be able to reference an already-open browser tab that was blocked by the SSRF policy [1]. The vulnerability can be exploited without requiring elevated privileges if the affected feature is enabled and reachable; however, the trusted-operator model means authenticated Gateway operators and installed plugins are considered trusted unless a separate policy boundary is crossed [1]. No user interaction beyond the initial tab open is required, but the attacker must have a way to reuse the blocked tab.
Impact
Successful exploitation allows the attacker to bypass private-network SSRF policies, resulting in unauthorized export or inspection of content from tabs that should have remained protected [1], [2]. This primarily leads to confidentiality compromise (information disclosure) of private-network resources. The practical impact depends on the operator's configuration and whether lower-trust input can reach the vulnerable path [1].
Mitigation
The first stable patched version is 2026.4.29 [1]. Workarounds include closing blocked tabs before using debug/export routes, restricting access to browser debug routes until patched, keeping channel and tool allowlists narrow, avoiding sharing a single Gateway between mutually untrusted users, and disabling the affected feature when not needed [1]. No mention of inclusion in the KEV list.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1a448042c2eddtest(qa): extend restart boundary wait
1 file changed · +2 −1
extensions/qa-lab/src/gateway-child.ts+2 −1 modified@@ -44,6 +44,7 @@ import type { QaTransportAdapter } from "./qa-transport.js"; export type { QaCliBackendAuthMode } from "./providers/env.js"; const QA_GATEWAY_CHILD_STARTUP_MAX_ATTEMPTS = 5; const QA_GATEWAY_CHILD_RPC_RETRY_HEALTH_TIMEOUT_MS = 60_000; +const QA_GATEWAY_CHILD_RESTART_BOUNDARY_TIMEOUT_MS = 90_000; const QA_GATEWAY_CHILD_BLOCKED_SECRET_ENV_VARS = Object.freeze([ "OPENCLAW_QA_CONVEX_SECRET_CI", "OPENCLAW_QA_CONVEX_SECRET_MAINTAINER", @@ -276,7 +277,7 @@ async function waitForQaGatewayRestartBoundary(params: { pollMs?: number; timeoutMs?: number; }) { - const timeoutMs = params.timeoutMs ?? 30_000; + const timeoutMs = params.timeoutMs ?? QA_GATEWAY_CHILD_RESTART_BOUNDARY_TIMEOUT_MS; const pollMs = params.pollMs ?? 100; const startedAt = Date.now(); while (Date.now() - startedAt < timeoutMs) {
Vulnerability mechanics
Root cause
"The browser debug and export routes fail to re-validate SSRF policy when reusing already-open blocked tabs, allowing bypass of private-network access restrictions."
Attack vector
An attacker with access to the browser debug and export routes can bypass private-network SSRF policies by reusing already-open blocked tabs. The attacker triggers the export or debug functionality on a tab that was previously blocked from accessing private-network resources; because the tab is already open, the policy check is circumvented and the content is exported or inspected. The CVSS vector indicates the attack requires network access, high complexity, low privileges, user interaction, and can change the scope, with high confidentiality impact and low integrity impact.
Affected code
The advisory describes SSRF policy bypass in "browser debug and export routes" that allows reuse of already-open blocked tabs. The patch touches `extensions/qa-lab/src/gateway-child.ts`, specifically the `waitForQaGatewayRestartBoundary` function, but this change only adjusts a timeout constant and does not appear to address the SSRF bypass mechanism described in the CVE.
What the fix does
The patch [patch_id=3102117] only extends a restart-boundary timeout from 30 seconds to 90 seconds in `waitForQaGatewayRestartBoundary` within `extensions/qa-lab/src/gateway-child.ts`. This change does not address the SSRF policy bypass described in the CVE — it is a test/QA reliability adjustment. The advisory does not include a patch that fixes the actual SSRF bypass vulnerability, and no remediation for the tab-reuse bypass is shown in the provided bundle.
Preconditions
- authAttacker must have access to the browser debug and export routes
- inputA blocked tab (prevented from accessing private-network resources) must already be open in the browser
- inputUser interaction is required (CVSS:UI:R)
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.