Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
OpenClaw: Unauthenticated access to sensitive operations
CVE-2026-28485
Summary
OpenClaw versions 2026.1.5 to 2026.2.11 have a security issue that allows unauthorized users on the same network to access sensitive data and perform certain actions. This could potentially lead to unauthorized data access or manipulation. Update to OpenClaw version 2026.2.12 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| openclaw | openclaw | <= 2026.1.5 | – |
| openclaw | openclaw | > 2026.2.9 , <= 2026.2.12 | – |
Original title
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operati...
Original description
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
nvd CVSS3.1
8.4
nvd CVSS4.0
7.5
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026