Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

GHSA-wwwc-f646-vj2j

Published May 6, 2026 · Modified May 11, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-536q-mj95-h29h. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-43580
WEB https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe
WEB https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3
WEB https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894
WEB https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes