High severity7.7NVD Advisory· Published May 6, 2026· Updated May 7, 2026
CVE-2026-43576
CVE-2026-43576
Description
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.5 | 2026.4.5 |
Affected products
2Patches
1bc356cc8c2befix: harden direct CDP websocket validation (#60469) (thanks @eleqtrizit)
3 files changed · +15 −0
CHANGELOG.md+1 −0 modified@@ -177,6 +177,7 @@ Docs: https://docs.openclaw.ai - Agents/logging: keep orphaned-user transcript repair warnings focused on interactive runs, and downgrade background-trigger repairs (`heartbeat`, `cron`, `memory`, `overflow`) to debug logs to reduce false-alarm gateway noise. - Gateway/node pairing: require `operator.pairing` for node approvals end-to-end, while still requiring `operator.write` or `operator.admin` when the pending node commands need those higher scopes. (#60461) Thanks @eleqtrizit. - Providers/OpenRouter: gate Anthropic prompt-cache `cache_control` markers to native/default OpenRouter routes and preserve them for native OpenRouter hosts behind custom provider ids. Thanks @vincentkoc. +- Browser/CDP: validate both initial and discovered CDP websocket endpoints before connect so strict SSRF policy blocks cross-host pivots and direct websocket targets. (#60469) Thanks @eleqtrizit. ## 2026.4.1
extensions/browser/src/browser/cdp.test.ts+13 −0 modified@@ -257,6 +257,19 @@ describe("cdp", () => { ).rejects.toBeInstanceOf(SsrFBlockedError); }); + it("blocks direct websocket cdp urls outside strict SSRF policy", async () => { + await expect( + createTargetViaCdp({ + cdpUrl: "ws://169.254.169.254:9222/devtools/browser/PIVOT", + url: "https://example.com", + ssrfPolicy: { + dangerouslyAllowPrivateNetwork: false, + allowedHostnames: ["127.0.0.1"], + }, + }), + ).rejects.toBeInstanceOf(SsrFBlockedError); + }); + it("evaluates javascript via CDP", async () => { const wsPort = await startWsServerWithMessages((msg, socket) => { if (msg.method === "Runtime.enable") {
extensions/browser/src/browser/cdp.ts+1 −0 modified@@ -183,6 +183,7 @@ export async function createTargetViaCdp(opts: { let wsUrl: string; if (isWebSocketUrl(opts.cdpUrl)) { // Direct WebSocket URL — skip /json/version discovery. + await assertCdpEndpointAllowed(opts.cdpUrl, opts.ssrfPolicy); wsUrl = opts.cdpUrl; } else { // Standard HTTP(S) CDP endpoint — discover WebSocket URL via /json/version.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665nvdPatchWEB
- github.com/advisories/GHSA-f7fh-qg34-x2xhghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xhnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43576ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-urlnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/pull/60469ghsaWEB
News mentions
0No linked articles in our index yet.