VYPR
Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026

OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints

CVE-2026-28485

Description

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • OpenClaw/Openclawllm-fuzzy2 versions
    <2026.2.12+ 1 more
    • (no CPE)range: <2026.2.12
    • (no CPE)range: 2026.1.5

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.