Lucene search
K

90 matches found

NVD
NVD
added 2026/03/19 10:16 p.m.4 views

CVE-2026-32041

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including...

7.8CVSS0.0011EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/19 10:7 p.m.1 views

CVE-2026-32041

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including...

7.5CVSS5.8AI score0.0011EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/19 10:7 p.m.1 views

CVE-2026-32041 OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including...

7.5CVSS5.8AI score0.0011EPSS
Exploits0References2
CVE
CVE
added 2026/03/19 10:7 p.m.12 views

CVE-2026-32041

OpenClaw vulnerable in versions prior to 2026.3.1 due to authentication bootstrap error at startup, leaving browser-control routes accessible without authentication. Local or loopback SSRF paths can reach browser-control routes, including evaluate-capable actions, without valid credentials. CVSS ...

7.8CVSS5.8AI score0.0011EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/03/19 12:0 a.m.9 views

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that is caused by a failure to properly handle authentication boot errors during startup. An attacker can exploit the vulnerability to cause a local process or...

7.8CVSS5.8AI score0.0011EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/07 1:44 a.m.4 views

CVE-2026-28468

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve...

8.5CVSS5.8AI score0.00142EPSS
Exploits0References1
OSV
OSV
added 2026/03/05 10:16 p.m.2 views

CVE-2026-28462

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST...

9.1CVSS5.8AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context...

8.4CVSS6AI score0.00196EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.27 views

CVE-2026-28485 OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context...

8.4CVSS0.00196EPSS
Exploits0References3
CVE
CVE
added 2026/03/05 9:59 p.m.15 views

CVE-2026-28468

OpenClaw: A sandbox browser bridge server vulnerability in versions 2026.1.29-beta.1 prior to 2026.2.14 allows local attackers to bypass gateway authentication and access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate co...

8.5CVSS6AI score0.00142EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28462

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST...

8.7CVSS6AI score0.00425EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/05 9:59 p.m.5 views

EUVD-2026-9908

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST...

8.7CVSS6AI score0.00425EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/02 9:49 p.m.7 views

OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

Summary When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication. Impact On affected deployments,...

7.8CVSS5.9AI score0.0011EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/02 9:49 p.m.7 views

GHSA-VPJ2-69HF-RPPW OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

Summary When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication. Impact On affected deployments,...

7.5CVSS5.9AI score0.0011EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/02/21 1:28 a.m.7 views

CVE-2026-26317

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A...

7.1CVSS5.6AI score0.0014EPSS
Exploits0References1
NVD
NVD
added 2026/02/19 10:16 p.m.7 views

CVE-2026-26317

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A...

7.1CVSS0.0014EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/19 9:34 p.m.21 views

CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A...

7.1CVSS0.0014EPSS
Exploits0References3
OSV
OSV
added 2026/02/19 9:34 p.m.6 views

CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A...

7.1CVSS5.7AI score0.0014EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.16 views

PT-2026-20962

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads...

6.7CVSS5.5AI score0.00199EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/18 5:45 p.m.5 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to missing authentication when starting sandbox browser bridge server. An attacker can gain unauthorized access to browser control...

8.5CVSS5.8AI score0.00142EPSS
Exploits0References2
Rows per page
Query Builder