CVE-2026-43580

Description

## Summary Browser press/type interaction routes missed complete navigation guard coverage. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. ## Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. ## Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `[email protected]` includes the fix. ## Fix Commit(s) - `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe` - `5f5b3d733bdd791cb457f838514179e1288b10b3` - `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894` - PR: #62023, #63226, #63889 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

How to fix CVE-2026-43580

To remediate CVE-2026-43580, upgrade the affected package to a fixed version below.

—upgrade to 2026.4.10 or later

Is CVE-2026-43580 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2026.4.10

CVSS scores

osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N