Existing-session browser interaction routes bypassed SSRF policy enforcement.
openclaw< 2026.4.10>= 2026.4.10Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes.
The fix guards existing-session navigation and interaction routes with browser navigation policy checks.
The issue was fixed in #64370. The first stable tag containing the fix is v2026.4.10, and [email protected] includes the fix.
daeb74920d5ad986cb600625180037e23221e93aUsers should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
| Score | Percentile |
|---|---|
| 0.03% | 8.07% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.7 | 3.1 | — |
|
| 6.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-527m-976r-jf79 ↗ |
| CVE | CVE-2026-43573 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.4.10 | 2026.4.10 | — |