CVE-2026-42184 tauri-apps CVE debrief

Who should care

Organizations deploying Tauri-based desktop applications on Windows or Android platforms; developers using custom URI schemes in Tauri applications; security teams responsible for application security assessments of cross-platform desktop frameworks

Technical summary

The vulnerability exists in Tauri's is_local_url() function from versions 2.0 through 2.11.0. On Windows and Android platforms, Tauri maps custom URI schemes to http://<scheme>.localhost/ due to WebView limitations. The origin validation logic only examines the first subdomain, enabling an attacker to register a domain where the subdomain matches the target application's custom scheme. This causes the remote URL to be incorrectly classified as a trusted local origin, potentially allowing unauthorized access to local resources or APIs that should be restricted to the application's own content. The CVSS 4.0 score of 6.1 (MEDIUM) reflects network attack vector with high attack complexity, requiring user interaction and presenting low confidentiality impact but high integrity impact.

Defensive priority

MEDIUM

Recommended defensive actions

• Upgrade Tauri to version 2.10.3 or later to remediate the origin validation flaw
• Review application custom URI scheme configurations on Windows and Android deployments
• Audit application code for reliance on is_local_url() for security-critical decisions
• Validate that remote content loading restrictions are properly enforced post-upgrade
• Monitor for anomalous network requests from Tauri applications that may indicate exploitation attempts

Evidence notes

CVE published 2026-05-27T15:16:27.560Z; modified 2026-05-27T17:16:35.480Z. CVSS 4.0 vector: AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N. CWE-918 (Server-Side Request Forgery) identified. Advisory source: GitHub Security Advisory GHSA-7gmj-67g7-phm9.

Official resources