Executive Summary

CVE-2026-10281 is a vulnerability in the Enderfga claw-orchestrator up to version 3.5.5, specifically in the EmbeddedServer function of the API Endpoint component. The issue is a missing authentication mechanism in the embedded HTTP server, which allows remote attackers to access critical API endpoints without any authentication.

This means that unless the server is explicitly configured with an authentication token, it runs unauthenticated by default, exposing endpoints that allow attackers to list, create, stop, or control sessions and steal sensitive session data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts as it allows unauthenticated remote attackers to gain unauthorized access to the claw-orchestrator's API endpoints.

• Attackers can list, create, stop, or control sessions without any authentication.
• Sensitive session data can be stolen through exposed endpoints.

Such unauthorized access can lead to loss of confidentiality, integrity, and availability of the system and its data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the embedded HTTP server of claw-orchestrator is running without authentication, which allows unauthenticated access to critical API endpoints.

Proof-of-concept commands to test for the vulnerability include sending unauthenticated HTTP requests to endpoints such as /session/list, /session/start, or /v1/chat/completions and observing if access is granted without authentication.

For example, using curl to send a request without authentication:

• curl http://<server_address>/session/list
• curl http://<server_address>/session/start
• curl http://<server_address>/v1/chat/completions

If these commands return data or allow actions without requiring authentication tokens, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the claw-orchestrator component to version 3.5.6 or later, which enforces mandatory authentication on the embedded HTTP server by default.

After upgrading, ensure that authentication is enabled by default. The server will generate a 32-byte token automatically if none is provided, or you can set a custom token using the OPENCLAW_SERVER_TOKEN environment variable.

Authentication can be provided via one of three methods:

• Bearer token in the Authorization header
• clawo_auth cookie
• ?token= query parameter

Avoid disabling authentication by setting OPENCLAW_SERVER_TOKEN=disabled unless running on a single-user host, as this logs a warning and is not recommended.

Use the clawo CLI which automatically reads the token from environment variables or the default token file to interact securely with the server.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-10281 causes missing authentication in the embedded HTTP server of the claw-orchestrator, allowing unauthenticated remote attackers to access and control critical API endpoints and potentially steal sensitive session data.

Such unauthorized access and potential data exposure could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require proper access controls and protection of sensitive data.

By allowing unauthenticated access, the vulnerability undermines confidentiality, integrity, and availability controls that are fundamental to these regulations.

Upgrading to version 3.5.6, which enforces mandatory authentication by default, mitigates this issue and helps restore compliance with these security requirements.

Useful 0 Not Useful 0