OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 3
https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser…
disclosure@vulncheck.com