CVE-2026-28485

Published: Mar 05, 2026 Last Modified: Mar 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH 8,4
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0006
Percentile
0,2th
Updated

EPSS Score Trend (Last 11 Days)

306

Missing Authentication for Critical Function

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Other
Potential Impacts:
Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Cloud Computing, ICS/OT
Likelihood of Exploit: High
View CWE Details
Application

Openclaw by Openclaw

Product Information
Vendor Openclaw
Product Openclaw
Version Range Affected
From 2026.2.9 (inclusive)
To 2026.2.12 (exclusive)
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Openclaw by Openclaw

Product Information
Vendor Openclaw
Product Openclaw
Version Range Affected
To 2026.1.5 (inclusive)
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/openclaw/openclaw/commit/9230a2ae1430774…
https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e…
https://github.com/openclaw/openclaw/security/advisories/GH…
https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj
https://www.vulncheck.com/advisories/openclaw-missing-authe…
https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser…