Openclaw · Openclaw · CVE-2026-28485
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions 2026.1.5 through 2026.2.11
**Description**
The software does not enforce mandatory authentication on the `/agent/act` browser-control HTTP route. This allows unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
**Recommendations**
Update to version 2026.2.12 or later.