Unrated severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026

OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints

CVE-2026-28485

Description

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

Affected products

OpenClaw/Openclawv5
Range: 2026.1.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e0287fmitrepatch
github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pjmitrevendor-advisory
www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-control-http-endpointsmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000