Description
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.
Published: 2026-03-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Control-Plane Access Through Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.25 have an authentication hardening gap in browser‑origin WebSocket clients. The flaw allows attackers to bypass origin checks and authentication throttling, enabling password brute‑force attacks against the gateway and the creation of an authenticated operator session. This yields the attacker the ability to invoke privileged control‑plane methods. The weakness corresponds to CWE‑307 – Improper Restriction of Credentials Exposure.

Affected Systems

The vulnerability affects all OpenClaw deployments before version 2026.2.25. It applies to the OpenClaw gateway product for environments that enable browser‑origin WebSocket connections on the loopback interface.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a victim to open a malicious webpage that initiates a WebSocket connection to the local gateway, using the browser's origin header to bypass checks. While the exploit requires user interaction, the potential impact of gaining privileged control-plane access is significant, warranting a high risk assessment.

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.25 or later
  • If an immediate upgrade is not feasible, disable browser‑origin WebSocket clients or enforce strict origin validation to block unauthenticated connections
  • Monitor gateway logs for repeated authentication attempts and apply rate limiting or additional authentication mechanisms

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmmg-jqc7-5qf4 OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.
Title OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-307
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T18:09:54.130Z

Reserved: 2026-03-10T19:48:40.709Z

Link: CVE-2026-32025

cve-icon Vulnrichment

Updated: 2026-03-20T18:03:47.983Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:37.210

Modified: 2026-03-23T17:12:07.897

Link: CVE-2026-32025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:27Z

Weaknesses