OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
Attack Parameters
Attack Vector
Local
Нужен локальный доступ
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
Present
Нужны дополнительные условия
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя
Impact Assessment
Confidentiality
High
Полная утечка данных
Integrity
High
Полная модификация данных
Availability
Low
Частичное нарушение работы
CVSS Vector v4.0
Weakness Type (CWE)
References 3
https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser…
disclosure@vulncheck.com