CVE-2026-53812
Analyzed Analyzed - Analysis Complete

Server-Side Request Forgery in OpenClaw Browser Control

Vulnerability report for CVE-2026-53812, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: VulnCheck

Description

OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.18 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying if your OpenClaw deployment is running a version prior to 2026.5.18 with browser control enabled.

Since the vulnerability allows authenticated users to bypass private-network navigation checks via Playwright act interactions, monitoring for unusual or unauthorized browser control actions that trigger navigation to private or loopback URLs can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general steps include:

  • Check the OpenClaw version by querying the application or its deployment metadata.
  • Monitor logs for browser control actions that cause redirects or navigation to private network addresses.
  • Use network monitoring tools to detect unexpected requests to private or loopback IP ranges originating from authenticated sessions.
Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.5.18 or later, which contains a patch that resolves this vulnerability.

Additionally, restrict browser-control access to trusted operators only to reduce the risk of exploitation.

Ensure that authentication mechanisms are robust since the vulnerability requires authenticated access.

Executive Summary

This vulnerability exists in OpenClaw versions before 2026.5.18 and is a server-side request forgery (SSRF) issue in the browser control component. It allows authenticated users to bypass private-network navigation restrictions by using Playwright action interactions. Attackers can cause the browser to navigate to private network targets through action-triggered redirects and then read restricted page content by evaluating scripts in the browser.

Impact Analysis

The vulnerability can allow an attacker with authentication to access and read content from private network resources that should normally be restricted. This could lead to unauthorized disclosure of sensitive internal information or data leakage from protected environments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart