CVE-2026-28485 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-28485 affects OpenClaw versions prior to 2026.2.12 and represents a critical authentication bypass flaw within the application's browser control interface. This issue manifests through the /agent/act HTTP route which should require mandatory authentication but instead allows unauthorized access from local network entities or local processes. The flaw enables attackers to perform privileged operations without proper credential validation, creating a significant security risk for systems running affected versions of the software.
The technical implementation of this vulnerability stems from inadequate access control enforcement within the web application's routing mechanism. Specifically the /agent/act endpoint fails to validate user credentials or session tokens before executing privileged browser control operations. This authentication gap allows malicious actors to craft HTTP requests that bypass normal authorization checks and directly invoke sensitive browser functions. The vulnerability is particularly concerning because it operates within the browser context, meaning that successful exploitation could lead to full browser session compromise and access to sensitive data that users have loaded into the browser environment.
From an operational perspective this vulnerability creates multiple attack vectors for threat actors positioned within the local network or those able to execute code on the local machine. Local network attackers can leverage this flaw to execute arbitrary browser actions without requiring valid user credentials, while local processes can potentially exploit the unauthenticated endpoint to access or manipulate browser sessions. The impact extends beyond simple privilege escalation as attackers can potentially access sensitive in-session data that may include personal information, financial data, or other confidential content stored within browser contexts. This represents a direct violation of the principle of least privilege and undermines the fundamental security model of the application's authentication system.
The vulnerability aligns with CWE-285 which addresses improper authorization issues in software systems, specifically targeting scenarios where authentication mechanisms fail to properly validate access requests. From an ATT&CK framework perspective this weakness maps to T1078 legitimate credentials and T1566 social engineering techniques, as attackers can leverage the authentication bypass to gain unauthorized access to browser sessions. The security implications extend to potential data exfiltration, session hijacking, and browser-based attack surface expansion. Organizations should immediately implement the vendor-provided patch for OpenClaw version 2026.2.12 or higher to address this critical authentication bypass vulnerability and restore proper access controls to the browser control interface.
Mitigation strategies should include immediate deployment of the patched version 2026.2.12 or later, followed by comprehensive security auditing of all browser control endpoints to identify similar authentication gaps. Network segmentation and firewall rules should be implemented to restrict access to the affected service to only trusted local network segments. Additionally, organizations should consider implementing additional monitoring for unusual patterns of access to browser control endpoints and establish incident response procedures for potential exploitation attempts. Regular security assessments of web applications should include thorough testing of authentication enforcement mechanisms to prevent similar vulnerabilities from emerging in the future.