Description
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.
Published: 2026-05-05
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions prior to 2026.4.14 contain an improper access control flaw in the browser snapshot, screenshot, and tab routes. The application fails to consistently validate the final browser target after navigation, allowing authenticated callers to bypass Server Side Request Forgery (SSRF) restrictions. This permits the retrieval of internal or disallowed page content, directly compromising confidentiality for authenticated users and exposing sensitive data.

Affected Systems

The vulnerability affects the OpenClaw application. All installations running any version older than 2026.4.14 are vulnerable. Vendors and administrators should verify that the product is updated to the 2026.4.14 release or newer.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. Because the Exploit Prediction Scoring System (EPSS) score is not available and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, the likelihood of widespread exploitation is uncertain. Attackers must be authenticated and capable of issuing requests to the vulnerable routes; there is no known unauthenticated vector. Once authenticated, an attacker can manipulate navigation to target internal resources, resulting in unintentional data exposure.

Generated by OpenCVE AI on May 5, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy OpenClaw 2026.4.14 or later in all affected environments to address the access‑control flaw.
  • Restrict authenticated access to the snapshot, screenshot, and tab routes to only those users who truly require them, and enforce strict target validation logic that confirms the target URL remains within permitted domains before rendering.
  • If an upgrade is temporarily infeasible, disable the vulnerable routes or implement additional server‑side checks that reject requests whose navigation target points to internal or disallowed URLs.

Generated by OpenCVE AI on May 5, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4qm-58hj-j6pj OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
History

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.
Title OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T11:24:55.261Z

Reserved: 2026-04-27T11:40:07.152Z

Link: CVE-2026-42436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:18.050

Modified: 2026-05-05T12:16:18.050

Link: CVE-2026-42436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T14:00:06Z

Weaknesses