GHSA-527m-976r-jf79
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Details
## Summary
Existing-session browser interaction routes bypassed SSRF policy enforcement.
## Affected Packages / Versions
- Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10`
## Impact
Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes.
## Technical Details
The fix guards existing-session navigation and interaction routes with browser navigation policy checks.
## Fix
The issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `daeb74920d5ad986cb600625180037e23221e93a` - PR: #64370
## Release Process Note
Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-43573 [ADVISORY]
- https://github.com/openclaw/openclaw/pull/64370 [WEB]
- https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes [WEB]