CVE-2026-62226
Received Received - Intake

Authorization Bypass in OpenClaw Browser Act Route

Vulnerability report for CVE-2026-62226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenClaw 2026.3.28 before 2026.5.19 contain an authorization bypass vulnerability in the browser act route that fails to properly validate current-tab URL checks. Attackers with lower-trust access or configured input paths can perform actions requiring stronger authorization or policy checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
openclaw openclaw to 2026.5.19 (exc)
openclaw openclaw 2026.5.19

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

OpenClaw versions 2026.3.28 through 2026.5.19 have an authorization bypass flaw in the browser act route. The system fails to properly validate current-tab URL checks, allowing attackers with lower-trust access to perform actions that require stronger authorization or policy checks.

Detection Guidance

To detect this vulnerability, check OpenClaw versions between 2026.3.28 and 2026.5.19. Verify if the browser act route is accessible to lower-trust users or input paths. Inspect server logs for unauthorized actions performed via this route.

Impact Analysis

Attackers could exploit this to perform unauthorized actions that normally require higher privileges. The impact depends on configuration and whether lower-trust input can reach the affected path. The vulnerability has high severity due to potential confidentiality breaches.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized access to sensitive data or actions due to improper authorization checks. If exploited, it may lead to unauthorized data exposure or modification, violating confidentiality requirements in these regulations.

Mitigation Strategies

Upgrade OpenClaw to version 2026.5.19 or later. Restrict access to the browser act route to trusted operators only. Review and enforce authorization policies for all users and input paths.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart