FKIE_CVE-2026-26317

Vulnerability from fkie_nvd - Published: 2026-02-19 22:16 - Updated: 2026-02-26 18:39
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Summary
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
References
security-advisories@github.comhttps://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3Patch
security-advisories@github.comhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14Release Notes
security-advisories@github.comhttps://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96qPatch, Vendor Advisory
Impacted products
Vendor Product Version
openclaw openclaw *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555",
              "versionEndExcluding": "2026.2.14",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim\u0027s local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim\u0027s browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled."
    },
    {
      "lang": "es",
      "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.14, las rutas de mutaci\u00f3n de localhost orientadas al navegador aceptaban solicitudes de navegador de origen cruzado sin validaci\u00f3n expl\u00edcita de Origin/Referer. La vinculaci\u00f3n de bucle invertido reduce la exposici\u00f3n remota, pero no evita las solicitudes iniciadas por el navegador desde or\u00edgenes maliciosos. Un sitio web malicioso puede desencadenar cambios de estado no autorizados contra el plano de control del navegador OpenClaw local de una v\u00edctima (por ejemplo, abrir pesta\u00f1as, iniciar/detener el navegador, mutar almacenamiento/cookies) si el servicio de control del navegador es accesible en bucle invertido en el contexto del navegador de la v\u00edctima. A partir de la versi\u00f3n 2026.2.14, los m\u00e9todos HTTP mutantes (POST/PUT/PATCH/DELETE) son rechazados cuando la solicitud indica un Origin/Referer que no es de bucle invertido (o \u0027Sec-Fetch-Site: cross-site\u0027). Otras mitigaciones incluyen habilitar la autenticaci\u00f3n de control del navegador (token/contrase\u00f1a) y evitar ejecutar con la autenticaci\u00f3n deshabilitada."
    }
  ],
  "id": "CVE-2026-26317",
  "lastModified": "2026-02-26T18:39:50.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-19T22:16:47.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.