Vulnerability Details CVE-2026-28485
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.5%
CVSS Severity
CVSS v3 Score 8.4