Description
Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms' WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Tauri's is_local_url() function wrongly classifies certain remote URLs as local when the first subdomain matches the application's custom URI scheme on Windows and Android. This misclassification lets a malicious web page invoke IPC commands that are meant to be accessible only by trusted local origins, potentially allowing execution of arbitrary native code on the host.

Affected Systems

All Tauri applications from versions 2.0 through 2.10.2 inclusive on Windows and Android are affected. The issue was fixed in version 2.10.3 and later.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely host a page on a domain whose first subdomain matches the application's custom scheme to trigger the origin confusion, thereby enabling the execution of local‑only IPC commands and potentially gaining code execution on the victim system.

Generated by OpenCVE AI on May 27, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Tauri installation to version 2.10.3 or later to apply the official fix.
  • If an upgrade is not immediately possible, constrain the application to load resources only from fully qualified local URLs, ensuring that remote pages cannot exploit the origin confusion.
  • Review and configure the IPC command whitelist to disable any commands that should not be exposed to untrusted origins.

Generated by OpenCVE AI on May 27, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gmj-67g7-phm9 Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
History

Tue, 02 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tauri:tauri:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sat, 30 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Tauri
Tauri tauri
Vendors & Products Tauri
Tauri tauri

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms' WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3.
Title Tauri: Origin Confusion Allows Remote Pages to Invoke Local-Only IPC Commands
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Tauri Tauri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:40:09.463Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42184

cve-icon Vulnrichment

Updated: 2026-05-27T15:38:59.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:27.560

Modified: 2026-06-02T00:52:44.913

Link: CVE-2026-42184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:15:25Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)