High severity7.7NVD Advisory· Published May 6, 2026· Updated May 7, 2026
CVE-2026-43580
CVE-2026-43580
Description
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.10 | 2026.4.10 |
Affected products
3Patches
Vulnerability mechanics
References
10- github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fenvdPatchWEB
- github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3nvdPatchWEB
- github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894nvdPatchWEB
- github.com/advisories/GHSA-536q-mj95-h29hghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29hnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43580ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactionsnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/pull/62023ghsaWEB
- github.com/openclaw/openclaw/pull/63226ghsaWEB
- github.com/openclaw/openclaw/pull/63889ghsaWEB
News mentions
0No linked articles in our index yet.