Tauri Framework Security Flaw Exposes Windows and Android Apps to Remote IPC Hijacking

A critical origin confusion vulnerability in the Tauri desktop application framework could allow remote web pages to invoke local-only IPC commands, bypassing security boundaries on Windows and Android platforms. The flaw, tracked as CVE-2026-42184 and disclosed under GitHub Security Advisory GHSA-7gmj-67g7-phm9, stems from a bug in Tauri's `is_local_url()` function that incorrectly classifies remote URLs as trusted local origins. This misclassification enables attackers hosting malicious web content to potentially execute privileged commands that should be restricted to local application contexts.

The vulnerability specifically affects Windows and Android because Tauri maps custom URI scheme protocols to `http://<scheme>.localhost/` on these platforms—WebView implementations on Windows and Android cannot serve custom URI schemes directly. This architectural workaround creates an attack surface where the origin validation logic fails to properly distinguish between genuinely local resources and remote content that has been remapped to appear local. Applications built with Tauri versions prior to 2.11.1 that expose IPC handlers intended only for local use are at risk if they load or can be navigated to remote content.

Developers using Tauri to build cross-platform desktop applications should immediately update to version 2.11.1, which patches the origin validation flaw. The security advisory indicates that any application relying on `is_local_url()` for access control decisions—particularly those implementing IPC command restrictions based on origin—should audit their security model. The vulnerability underscores the complexity of securing hybrid desktop applications that bridge web technologies with native system capabilities, where platform-specific WebView behaviors can introduce subtle but severe trust boundary failures.