Description
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.
Published: 2026-03-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution
Action: Upgrade
AI Analysis

Impact

OpenClaw versions earlier than 2026.3.1 do not correctly handle errors that occur during authentication bootstrap when the application starts, leaving browser‑control routes accessible without an authorization check. The server therefore serves routes that include evaluate‑capable actions, which, if invoked, can execute arbitrary code triggered by the attacker. The vulnerability therefore allows an unauthenticated attacker who can reach the application via a local process or a loopback‑reachable server‑side request forgery (SSRF) to potentially run code on the host without valid credentials.

Affected Systems

The affected product is OpenClaw by OpenClaw as identified by the CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*. All releases prior to the 2026.3.1 update are vulnerable. The fix is incorporated in OpenClaw 2026.3.1 and later.

Risk and Exploitability

The CVSS score is 7.5, classifying the vulnerability as high severity. Exploit probability data (EPSS) is not available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. According to the description, the attack vector requires an attacker who can direct traffic to the vulnerable browser‑control endpoints, such as a local application or a loopback‑reachable SSRF path.

Generated by OpenCVE AI on March 20, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.1 or later to prevent unauthenticated access to browser‑control routes.
  • If an upgrade cannot be performed immediately, limit network access to the browser‑control endpoints so that only trusted local processes or IPs can reach them.
  • After patching or applying network restrictions, restart the OpenClaw service to clear any existing unauthenticated sessions.

Generated by OpenCVE AI on March 20, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpj2-69hf-rppw OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.
Title OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-306
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T17:52:19.289Z

Reserved: 2026-03-10T19:48:44.964Z

Link: CVE-2026-32041

cve-icon Vulnrichment

Updated: 2026-03-20T17:52:01.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:40.643

Modified: 2026-03-23T17:29:17.873

Link: CVE-2026-32041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:13Z

Weaknesses