Plattform
nodejs
Komponente
openclaw
Behoben in
2026.2.15
2026.1.25
2026.2.14
CVE-2026-26317 describes a Cross-Site Request Forgery (CSRF) vulnerability in OpenClaw, a Node.js library for browser control. This flaw allows malicious websites to trigger unauthorized actions against a victim's local browser control plane, potentially leading to tab manipulation and storage modifications. The vulnerability impacts versions of OpenClaw less than or equal to the vulnerable release. A fix is available in version 2026.2.14.
The impact of CVE-2026-26317 stems from the lack of proper Origin/Referer validation on browser-facing mutation routes. While loopback binding limits remote exposure, it doesn't prevent malicious websites running in the victim's browser context from initiating requests. A successful exploit could allow an attacker to silently control aspects of the user's browser, such as opening new tabs, closing existing ones, starting or stopping the browser process, or even modifying browser storage and cookies. This could be leveraged for phishing attacks, data theft, or to inject malicious content into the user's browsing session. The potential for abuse is significant, particularly in scenarios where OpenClaw is integrated into browser extensions or other browser-based applications.
CVE-2026-26317 was publicly disclosed on February 18, 2026. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits, but the vulnerability's nature makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and developers utilizing OpenClaw for automated browser testing, web scraping, or other browser control tasks are at risk. Specifically, those using OpenClaw in environments where users frequently browse untrusted websites or are susceptible to social engineering attacks are particularly vulnerable. Shared hosting environments where multiple applications share the same Node.js instance could also amplify the risk.
• nodejs: Monitor for unusual browser activity originating from external websites. Use ps aux | grep openclaw to identify running OpenClaw processes. Examine Node.js application logs for suspicious requests to OpenClaw endpoints.
• generic web: Inspect browser developer tools network requests for unexpected POST requests to OpenClaw endpoints. Check browser extensions for potentially malicious code.
• generic web: Review CSP headers to ensure they are properly configured to restrict cross-origin requests.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26317 is to upgrade OpenClaw to version 2026.2.14 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter Origin/Referer validation on the mutation routes as a temporary workaround. This can be achieved by inspecting the request headers and rejecting requests from unauthorized origins. Additionally, implement robust input validation and sanitization to prevent unexpected behavior. After upgrading, confirm the fix by attempting to trigger a state change via a cross-origin request from a separate browser tab; the request should be rejected.
Aktualisieren Sie OpenClaw auf Version 2026.2.14 oder höher. Als alternative Mitigation aktivieren Sie die Browsersteuerung-Authentifizierung (Token/Passwort) und vermeiden Sie den Betrieb ohne deaktivierte Authentifizierung.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26317 is a CSRF vulnerability in OpenClaw allowing malicious websites to trigger unauthorized actions within a victim's browser control plane.
You are affected if you are using OpenClaw versions less than or equal to the vulnerable release. Check your installed version and upgrade accordingly.
Upgrade OpenClaw to version 2026.2.14 or later. Consider implementing strict CSP directives as an interim measure.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the OpenClaw project's official advisory channels and GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.