Tauri (Windows & Android) – Origin Confusion Vulnerability – CVE-2026-42184 (Moderate) -DC-Jun2026-90

Listen to this Post

Intro – How CVE-2026-42184 Works

A flaw in Tauri’s `is_local_url()` function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these platforms, Tauri maps custom URI scheme protocols to `http://.localhost/` because their WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri’s check to see if the origin is local only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application (e.g. http://app.attacker.com/`). As a result, the attacker’s page can invoke backend commands that the developer intended to be accessible only to the app’s own frontend and that are explicitly restricted from being called by external or remote origins.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Tauri (Windows, Android)
Version: 2.0 – 2.11.0
Vulnerability: Origin confusion / URL validation bypass
Severity: Moderate (NVD CVSS 3.x: 5.9)
date: 2026-05-06
<h2 style="color: blue;">Prediction: 2026-06-03 (vendor patch in 2.10.3)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>

Extract custom protocols from tauri.conf.json
jq '.tauri.allowlist.protocol' tauri.conf.json
Test for vulnerable is_local_url() behavior
curl -H "Origin: http://app.evil.com" http://localhost:1420/ipc

<h2 style="color: blue;">Exploit:</h2>
1. Attacker registers a domain with a subdomain matching the target app's custom scheme (e.g.
app.attacker.com).
2. Attacker hosts a malicious HTML/JS page on this domain.
3. Victim is tricked into opening the attacker's page (e.g. via phishing link).
4. The page sends an IPC command that is only allowed for local origins.
5. Due to the flawed check, the command is accepted and executed by the backend.
<h2 style="color: blue;">Protection:</h2>
- Update Tauri to version 2.10.3 or later.
- Restrict IPC commands using allowlists and capability files with `"local": true` as a stopgap.
- Validate origins in custom protocol handlers with a full-domain check (i.e., ensure the entire domain is exactly
.localhost`).

Impact:

  • Remote attacker can invoke local-only IPC commands.
  • Potential for data theft, command execution, and bypassing of origin-based security controls.
  • Affects all Tauri applications on Windows and Android that use custom protocols.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top