CVE-2026-28485

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.5 through 2026.2.11

Description The software does not enforce mandatory authentication on the /agent/act browser-control HTTP route. This allows unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

Recommendations Update to version 2026.2.12 or later.