CVE-2026-26317 - OpenClaw affected by cross-site request forgery (CSRF) through loopback browser ...

CVE ID : CVE-2026-26317 Published : Feb. 19, 2026, 10:16 p.m. | 26 minutes ago Description : OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...