Listen to this Post
Intro – How CVE-2026-42184 Works
A flaw in Tauri’s `is_local_url()` function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these platforms, Tauri maps custom URI scheme protocols to `http://http://app.attacker.com/`). As a result, the attacker’s page can invoke backend commands that the developer intended to be accessible only to the app’s own frontend and that are explicitly restricted from being called by external or remote origins.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Tauri (Windows, Android)
Version: 2.0 – 2.11.0
Vulnerability: Origin confusion / URL validation bypass
Severity: Moderate (NVD CVSS 3.x: 5.9)
date: 2026-05-06
<h2 style="color: blue;">Prediction: 2026-06-03 (vendor patch in 2.10.3)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Extract custom protocols from tauri.conf.json jq '.tauri.allowlist.protocol' tauri.conf.json Test for vulnerable is_local_url() behavior curl -H "Origin: http://app.evil.com" http://localhost:1420/ipc
<h2 style="color: blue;">Exploit:</h2>
1. Attacker registers a domain with a subdomain matching the target app's custom scheme (e.g.app.attacker.com).
2. Attacker hosts a malicious HTML/JS page on this domain.
3. Victim is tricked into opening the attacker's page (e.g. via phishing link).
4. The page sends an IPC command that is only allowed for local origins.
5. Due to the flawed check, the command is accepted and executed by the backend.
<h2 style="color: blue;">Protection:</h2>
- Update Tauri to version 2.10.3 or later.
- Restrict IPC commands using allowlists and capability files with `"local": true` as a stopgap.
- Validate origins in custom protocol handlers with a full-domain check (i.e., ensure the entire domain is exactly
Impact:
- Remote attacker can invoke local-only IPC commands.
- Potential for data theft, command execution, and bypassing of origin-based security controls.
- Affects all Tauri applications on Windows and Android that use custom protocols.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

