CVE-2026-26317 Overview
OpenClaw is a personal AI assistant that includes a browser control plane accessible via localhost. Prior to version 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. This Cross-Site Request Forgery (CSRF) vulnerability allows malicious websites to trigger unauthorized state changes against a victim's local OpenClaw browser control plane, including opening tabs, starting/stopping the browser, and mutating storage/cookies.
Critical Impact
A malicious website can exploit this CSRF vulnerability to perform unauthorized actions on a victim's local OpenClaw instance, potentially leading to data manipulation, browser hijacking, and privacy violations when the browser control service is reachable on loopback.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw browser control plane running on localhost
- Systems with browser control auth disabled
Discovery Timeline
- 2026-02-19 - CVE-2026-26317 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26317
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue stems from insufficient origin validation in the browser control plane's HTTP endpoint handlers. While OpenClaw binds to the loopback interface to reduce remote network exposure, this binding alone does not prevent browser-initiated requests from malicious origins. Modern browsers will still send requests to localhost from any webpage context, making the loopback binding an ineffective security boundary against CSRF attacks.
The vulnerable code path allowed mutating HTTP methods (POST, PUT, PATCH, DELETE) to be processed without validating the Origin, Referer, or Sec-Fetch-Site headers. An attacker hosting a malicious webpage could craft requests that a victim's browser would send to their local OpenClaw instance, inheriting the victim's local authentication context.
Root Cause
The root cause is the absence of cross-origin request validation middleware on mutation routes in the browser bridge server. The application assumed that localhost binding provided sufficient protection, neglecting the browser-based attack vector where any website can instruct the browser to make requests to loopback addresses.
Attack Vector
The attack requires user interaction - specifically, the victim must visit a malicious website while their OpenClaw browser control service is running on localhost. The attacker's webpage can then issue cross-origin requests to the victim's local OpenClaw endpoints. Since these requests originate from the victim's browser, they reach the loopback-bound service and can trigger state-changing operations such as:
- Opening new browser tabs with attacker-controlled URLs
- Starting or stopping the browser instance
- Mutating local storage and cookies
- Modifying browser control plane state
// Security patch in src/browser/csrf.ts - CSRF protection middleware
// Source: https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
+import type { NextFunction, Request, Response } from "express";
+import { isLoopbackHost } from "../gateway/net.js";
+
+function firstHeader(value: string | string[] | undefined): string {
+ return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
+}
+
+function isMutatingMethod(method: string): boolean {
+ const m = (method || "").trim().toUpperCase();
+ return m === "POST" || m === "PUT" || m === "PATCH" || m === "DELETE";
+}
+
+function isLoopbackUrl(value: string): boolean {
+ const v = value.trim();
+ if (!v || v === "null") {
+ return false;
+ }
+ try {
+ const parsed = new URL(v);
+ return isLoopbackHost(parsed.hostname);
+ } catch {
+ return false;
+ }
+}
+
+export function shouldRejectBrowserMutation(params: {
+ method: string;
+ origin?: string;
+ referer?: string;
+ secFetchSite?: string;
Source: GitHub Commit Update
Detection Methods for CVE-2026-26317
Indicators of Compromise
- Unexpected HTTP requests to OpenClaw's localhost endpoints originating from external web pages
- Browser control plane logs showing mutation requests with non-loopback Origin or Referer headers
- Anomalous browser tab openings, storage modifications, or browser state changes without user initiation
- Web server logs containing Sec-Fetch-Site: cross-site headers on mutation endpoints
Detection Strategies
- Monitor OpenClaw browser control plane logs for requests containing cross-origin indicators such as external Origin headers or Sec-Fetch-Site: cross-site
- Implement network monitoring to detect unusual patterns of localhost HTTP traffic coinciding with external web browsing activity
- Review browser history and storage for unexplained modifications that may indicate exploitation
- Deploy endpoint detection rules to flag unauthorized state changes in OpenClaw processes
Monitoring Recommendations
- Enable verbose logging on OpenClaw browser control plane endpoints to capture full request headers
- Configure SentinelOne Singularity XDR to monitor for suspicious localhost network activity patterns
- Set up alerts for OpenClaw process behavior anomalies, particularly around browser automation actions
- Implement application-level auditing to track all mutation operations with their origin context
How to Mitigate CVE-2026-26317
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Enable browser control authentication (token/password) if not already configured
- Avoid running OpenClaw with authentication disabled, especially in environments where web browsing occurs
- Review OpenClaw logs for any signs of prior exploitation attempts
Patch Information
The security patch is available in OpenClaw version 2026.2.14. The fix introduces the browserMutationGuardMiddleware in src/browser/csrf.ts, which rejects mutating HTTP methods (POST/PUT/PATCH/DELETE) when the request indicates a non-loopback Origin or Referer header, or when Sec-Fetch-Site: cross-site is present.
For detailed patch information, see:
Workarounds
- Enable browser control authentication by configuring token or password-based auth in OpenClaw settings
- Restrict network access to the browser control plane using host-based firewall rules
- Consider running OpenClaw browser control in an isolated browser profile or container
- Temporarily disable the browser control feature if not actively needed until patching is complete
# Configuration example - Enable authentication for OpenClaw browser control
# Add to OpenClaw configuration file or environment variables
# Enable token-based authentication for browser control API
OPENCLAW_BROWSER_AUTH_ENABLED=true
OPENCLAW_BROWSER_AUTH_TOKEN="your-secure-random-token-here"
# Alternatively, use password-based authentication
# OPENCLAW_BROWSER_AUTH_PASSWORD="your-secure-password-here"
# Verify authentication is enabled before starting service
openclaw config --check-auth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
