CVE-2026-42184
Incorrect Origin Validation in Tauri Framework
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tauri | tauri | 2.10.3 |
| tauri | tauri | From 2.0 (inc) to 2.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42184 is a vulnerability in the Tauri framework versions 2.0 to 2.11.0 involving an origin confusion flaw in the is_local_url() function.
On Windows and Android, Tauri maps custom URI schemes to http://<scheme>.localhost/ because their WebView implementations cannot serve custom URI schemes directly.
The vulnerability arises because the is_local_url() function only checks the first subdomain of a URL to determine if it is local.
An attacker can exploit this by hosting a malicious page on a domain whose subdomain matches the application's custom scheme, causing remote URLs to be incorrectly classified as trusted local origins.
This allows the attacker to invoke local-only IPC commands intended to be restricted to the app's frontend.
How can this vulnerability impact me? :
This vulnerability can impact system integrity by allowing remote pages to execute local-only IPC commands within the Tauri application.
Because remote URLs can be misclassified as trusted local origins, attackers may perform unauthorized actions within the application context.
The confidentiality and availability impacts are considered low, but the integrity impact is moderate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an origin confusion flaw in Tauri's is_local_url() function, which incorrectly classifies remote URLs as trusted local origins. Detection would involve monitoring for suspicious URLs where the subdomain matches the application's custom scheme, such as URLs like http://app.evil.com/ that mimic local origins.
To detect exploitation attempts on your system or network, you can monitor network traffic for HTTP requests to suspicious subdomains that resemble your application's custom URI scheme. For example, using network monitoring tools or command-line utilities like tcpdump or Wireshark to filter HTTP traffic for such patterns.
- Use tcpdump to capture HTTP traffic and filter for suspicious subdomains: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '<custom_scheme>.'
- Use Wireshark to filter HTTP Host headers containing your custom scheme as a subdomain.
Additionally, review application logs for any IPC commands invoked from unexpected remote origins that should be local only.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Tauri framework to version 2.11.1 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting network access to prevent untrusted remote URLs from interacting with the application, especially on Windows and Android platforms.
Also, audit and harden any IPC commands or interfaces that rely on origin checks to ensure they do not trust URLs based solely on the first subdomain.