HIGHCVE-2026-26317CVSS 7.1

CVE-2026-26317: CSRF in OpenClaw Node.js Browser Control

Q: What is CVE-2026-26317 — CSRF in OpenClaw Node.js Browser Control?

CVE-2026-26317 is a CSRF vulnerability in OpenClaw allowing malicious websites to trigger unauthorized actions within a victim's browser control plane.

Q: Am I affected by CVE-2026-26317 in OpenClaw?

You are affected if you are using OpenClaw versions less than or equal to the vulnerable release. Check your installed version and upgrade accordingly.

Q: How do I fix CVE-2026-26317 in OpenClaw?

Upgrade OpenClaw to version 2026.2.14 or later. Consider implementing strict CSP directives as an interim measure.

Q: Where can I find the official OpenClaw advisory for CVE-2026-26317?

Refer to the OpenClaw project's official advisory channels and GitHub repository for the latest information and updates.

Platform

nodejs

Component

openclaw

Fixed in

2026.2.15

2026.1.25

2026.2.14

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-26317 describes a Cross-Site Request Forgery (CSRF) vulnerability in OpenClaw, a Node.js library for browser control. This flaw allows malicious websites to trigger unauthorized actions against a victim's local browser control plane, potentially leading to tab manipulation and storage modifications. The vulnerability impacts versions of OpenClaw less than or equal to the vulnerable release. A fix is available in version 2026.2.14.

Impact and Attack Scenarios

The core of the vulnerability lies in the acceptance of cross-origin browser requests without proper Origin/Referer validation on localhost mutation routes. While loopback binding limits remote exposure, it doesn't prevent a malicious website running in the victim's browser context from initiating requests. Successful exploitation could allow an attacker to open new tabs, close existing tabs, start or stop the browser process, and even modify browser storage and cookies. This represents a significant risk, particularly in environments where OpenClaw is used for automated browser testing or control.

Exploitation Context

CVE-2026-26317 was publicly disclosed on 2026-02-18. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 (HIGH) reflects the potential impact of unauthorized browser control.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentopenclaw

Vendorosv

Affected rangeFixed in

< 2026.2.14 – < 2026.2.142026.2.15

<= 2026.1.24-3 – <= 2026.1.24-32026.1.25

—2026.2.14

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-02-13
Published2026-02-18
Modified2026-02-20
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation is to upgrade OpenClaw to version 2026.2.14 or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing strict Content Security Policy (CSP) directives to restrict cross-origin requests to the OpenClaw endpoints. Additionally, carefully review and validate any user input that influences OpenClaw's behavior. While a WAF might offer some protection, it's unlikely to be effective against browser-initiated CSRF attacks. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual browser activity initiated from external websites is recommended.

How to fix

Update OpenClaw to version 2026.2.14 or later. As an alternative mitigation, enable browser control authentication (token/password) and avoid running it with authentication disabled.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-26317 — CSRF in OpenClaw Node.js Browser Control?