CVE-2026-32041

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.1

Description OpenClaw does not correctly manage authentication bootstrap errors during startup, which can allow browser-control routes to remain accessible without authentication. Local processes or loopback-reachable Server-Side Request Forgery (SSRF) paths can exploit this to access browser-control routes, including actions capable of evaluating code, without valid credentials. The software attempted to automatically bootstrap authentication when browser control started without explicit credentials. If this bootstrap process failed, startup continued, exposing browser-control routes without authentication.

Recommendations Update to version 2026.3.1 or later.