CVE-2026-62226 in OpenClawinfo

Summary

by MITRE • 07/17/2026

OpenClaw 2026.3.28 before 2026.5.19 contain an authorization bypass vulnerability in the browser act route that fails to properly validate current-tab URL checks. Attackers with lower-trust access or configured input paths can perform actions requiring stronger authorization or policy checks.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The OpenClaw software version 2026.3.28 through 2026.5.18 contains a critical authorization bypass vulnerability that stems from inadequate validation of URL checks within the browser act route functionality. This flaw represents a significant security weakness that directly violates fundamental access control principles and can be categorized under CWE-285: Improper Authorization. The vulnerability specifically affects the browser act route component which is responsible for handling user interactions within the application's web interface, where proper validation of the current tab URL should occur before allowing privileged operations to proceed.

The technical implementation of this vulnerability allows attackers with lower privilege levels or those who have gained access through configured input paths to bypass intended authorization checks that should normally restrict certain actions to users with higher trust levels. The flaw occurs because the system fails to properly validate whether the current tab URL matches expected patterns or authorized domains before executing operations that require stronger authorization policies. This type of vulnerability falls squarely within ATT&CK technique T1078: Valid Accounts, as it leverages existing access to perform unauthorized actions through insufficient validation mechanisms.

The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to potentially perform administrative functions, access restricted data, or manipulate system configurations without proper authorization. The scope of damage depends on the specific operations available through the browser act route, but typically includes capabilities such as file manipulation, configuration changes, user management, and data access that should normally require elevated privileges. Organizations using affected OpenClaw versions face significant risk of unauthorized access to sensitive system resources and potential data breaches.

Mitigation strategies for this vulnerability include immediate deployment of the patched version 2026.5.19 or later, which addresses the URL validation issue in the browser act route component. Administrators should also implement additional monitoring for suspicious activities related to the browser act route functionality and consider implementing network segmentation to limit access to critical system components. The vulnerability demonstrates the importance of proper input validation and authorization checking as outlined in security standards such as NIST SP 800-53 controls, particularly those related to access control and system integrity. Organizations should also conduct thorough security assessments to identify similar validation gaps in other application components and ensure that all user interactions undergo proper authorization verification before execution of privileged operations.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!