CVE-2026-32041
Authentication Bypass in OpenClaw Allows Unauthorized Browser Control
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects OpenClaw versions prior to 2026.3.1. It occurs because the software fails to properly handle authentication bootstrap errors during startup. As a result, certain browser-control routes remain accessible without requiring authentication.
Local processes or SSRF (Server-Side Request Forgery) paths that can reach the loopback interface can exploit this flaw to access these browser-control routes. This includes actions capable of evaluating commands or code without valid credentials.
How can this vulnerability impact me? :
The vulnerability allows unauthorized access to sensitive browser-control routes, potentially enabling attackers to execute evaluate-capable actions without valid credentials.
This can lead to unauthorized code execution or manipulation of the affected system, compromising confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know