Description
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
Published: 2026-02-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Upgrade
AI Analysis

Impact

OpenClaw is a personal AI assistant that exposed a set of browser‑facing localhost endpoints for mutating state without validating the Origin or Referer headers. The missing check allowed a malicious website to cause the victim’s browser to perform unauthorized actions—such as opening or closing tabs, altering storage or cookies, or starting and stopping the OpenClaw instance—by sending requests to the loopback interface. Based on the description, it is inferred that an attacker would need only to host a malicious page that the victim visits, and the victim’s browser would then forge the requests. The flaw maps to the classic cross‑site request forgery weakness (CWE‑352), and the primary impact is local state manipulation that can disrupt the user’s browsing experience.

Affected Systems

The vulnerability affects all releases of OpenClaw and its ClawDBot component that are older than version 2026.2.14. Users with the browser‑control REST API bound to the loopback interface and authentication disabled are exposed. No finer version granularity is provided beyond the cutoff, so it should be presumed that every pre‑2026.2.14 build is potentially affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact with moderate to high exploitability. The EPSS score of < 1 % suggests that exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Attackers would need only a malicious web page; the victim’s browser would then forge requests to the loopback mutation endpoints, bypassing the lack of Origin/Referer validation. The combination of low EPSS and high CVSS underscores the importance of promptly applying the vendor’s patch or enabling authentication.

Generated by OpenCVE AI on April 18, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.2.14 or later, which rejects mutating requests that indicate a non‑loopback Origin, Referer, or Sec‑Fetch‑Site header.
  • Enable authentication for the OpenClaw browser‑control service by configuring a token or password, ensuring the service is not left unauthenticated.
  • If an immediate upgrade is not possible, restrict the loopback control port so that only traffic originating from localhost can reach the mutation endpoints, for example by configuring the firewall to block remote access or binding the service to a dedicated loopback address.

Generated by OpenCVE AI on April 18, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3fqr-4cg8-h96q OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
History

Thu, 26 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw clawdbot
Openclaw openclaw
Vendors & Products Openclaw
Openclaw clawdbot
Openclaw openclaw

Thu, 19 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
Title OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

Openclaw Clawdbot Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:41:39.603Z

Reserved: 2026-02-13T16:27:51.807Z

Link: CVE-2026-26317

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:33.425Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T22:16:47.270

Modified: 2026-02-26T18:39:50.060

Link: CVE-2026-26317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses