{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26317", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.807Z", "datePublished": "2026-02-19T21:34:27.786Z", "dateUpdated": "2026-02-20T15:41:39.603Z"}, "containers": {"cna": {"title": "OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"}, {"name": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3"}, {"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "< 2026.2.14", "status": "affected"}]}, {"vendor": "openclaw", "product": "clawdbot", "versions": [{"version": "<= 2026.1.24-3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:34:27.786Z"}, "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled."}], "source": {"advisory": "GHSA-3fqr-4cg8-h96q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:27:31.698114Z", "id": "CVE-2026-26317", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:41:39.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26317", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:27:31.698114Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:27:33.425Z"}}], "cna": {"title": "OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints", "source": {"advisory": "GHSA-3fqr-4cg8-h96q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"status": "affected", "version": "< 2026.2.14"}]}, {"vendor": "openclaw", "product": "clawdbot", "versions": [{"status": "affected", "version": "<= 2026.1.24-3"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q", "name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "name": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:34:27.786Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26317", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:41:39.603Z", "dateReserved": "2026-02-13T16:27:51.807Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T21:34:27.786Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555", "versionEndExcluding": "2026.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled."}, {"lang": "es", "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.14, las rutas de mutaci\u00f3n de localhost orientadas al navegador aceptaban solicitudes de navegador de origen cruzado sin validaci\u00f3n expl\u00edcita de Origin/Referer. La vinculaci\u00f3n de bucle invertido reduce la exposici\u00f3n remota, pero no evita las solicitudes iniciadas por el navegador desde or\u00edgenes maliciosos. Un sitio web malicioso puede desencadenar cambios de estado no autorizados contra el plano de control del navegador OpenClaw local de una v\u00edctima (por ejemplo, abrir pesta\u00f1as, iniciar/detener el navegador, mutar almacenamiento/cookies) si el servicio de control del navegador es accesible en bucle invertido en el contexto del navegador de la v\u00edctima. A partir de la versi\u00f3n 2026.2.14, los m\u00e9todos HTTP mutantes (POST/PUT/PATCH/DELETE) son rechazados cuando la solicitud indica un Origin/Referer que no es de bucle invertido (o 'Sec-Fetch-Site: cross-site'). Otras mitigaciones incluyen habilitar la autenticaci\u00f3n de control del navegador (token/contrase\u00f1a) y evitar ejecutar con la autenticaci\u00f3n deshabilitada."}], "id": "CVE-2026-26317", "lastModified": "2026-02-26T18:39:50.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T22:16:47.270", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1.24-3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clawdbot", "source": "cna", "vendor": "openclaw"}, "product": "clawdbot", "vendor": "openclaw"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openclaw", "source": "cna", "vendor": "openclaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-18T11:41:54.666161+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenClaw version\u202f2026.2.14 or later, which rejects mutating requests that indicate a non\u2011loopback Origin, Referer, or Sec\u2011Fetch\u2011Site header.", "Enable authentication for the OpenClaw browser\u2011control service by configuring a token or password, ensuring the service is not left unauthenticated.", "If an immediate upgrade is not possible, restrict the loopback control port so that only traffic originating from localhost can reach the mutation endpoints, for example by configuring the firewall to block remote access or binding the service to a dedicated loopback address."], "summary": {"action": "Upgrade", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of OpenClaw and its ClawDBot component that are older than version\u202f2026.2.14. Users with the browser\u2011control REST API bound to the loopback interface and authentication disabled are exposed. No finer version granularity is provided beyond the cutoff, so it should be presumed that every pre\u20112026.2.14 build is potentially affected.", "description_and_impact": "OpenClaw is a personal AI assistant that exposed a set of browser\u2011facing localhost endpoints for mutating state without validating the Origin or Referer headers. The missing check allowed a malicious website to cause the victim\u2019s browser to perform unauthorized actions\u2014such as opening or closing tabs, altering storage or cookies, or starting and stopping the OpenClaw instance\u2014by sending requests to the loopback interface. Based on the description, it is inferred that an attacker would need only to host a malicious page that the victim visits, and the victim\u2019s browser would then forge the requests. The flaw maps to the classic cross\u2011site request forgery weakness (CWE\u2011352), and the primary impact is local state manipulation that can disrupt the user\u2019s browsing experience.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact with moderate to high exploitability. The EPSS score of <\u202f1\u202f% suggests that exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Attackers would need only a malicious web page; the victim\u2019s browser would then forge requests to the loopback mutation endpoints, bypassing the lack of Origin/Referer validation. The combination of low EPSS and high CVSS underscores the importance of promptly applying the vendor\u2019s patch or enabling authentication."}}}}, "created": "2026-02-20T09:53:50.914212+00:00", "updated": "2026-04-18T11:45:44.599232+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$clawdbot", "openclaw$PRODUCT$openclaw"]}