OpenClaw Browser Control Unauthenticated Access After Auth Failure

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

OpenClaw Browser Control Unauthenticated Access After Auth Failure

GHSA-vpj2-69hf-rppw

Summary

OpenClaw's browser control feature can continue running without authentication if the initial authentication step fails. This allows a local process or internal request to access sensitive browser-control routes without logging in. To fix this, update to version 2026.3.1 or later to ensure browser control stops running if authentication fails.

What to do

Update openclaw to version 2026.3.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.1	2026.3.1

Original title

OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

Original description

### Summary
When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

### Impact
On affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth.

### Fix
Startup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts.

### Affected and Patched Versions
- Affected: `<= 2026.2.26`
- Patched: `2026.3.1`

ghsa CVSS4.0 6.9

Vulnerability type

CWE-306 Missing Authentication for Critical Function

Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026