CVE-2026-26317

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3

Description Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane, such as opening tabs, starting or stopping the browser, or modifying storage and cookies, if the browser control service is reachable on loopback within the victim's browser context. The issue stems from exposed mutating HTTP endpoints lacking a CSRF-style guard, allowing browsers to send cross-origin requests to loopback addresses without proper validation.

Recommendations Versions prior to 2026.2.14: Upgrade to version 2026.2.14 or later. Versions prior to 2026.1.24-3: Upgrade to version 2026.1.24-3 or later. Enable browser control authentication (token/password) and avoid running without authentication.