CVE-2026-26317

High

Published: 19 February 2026

Published

19 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

EPSS Score 0.0002 5.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26317 is a high-severity CSRF (CWE-352) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-2 Literacy Training and Awareness

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

IA-11 Re-authentication

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

PM-14 Testing, Training, and Monitoring

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

SI-4 System Monitoring

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

CSRF on localhost browser-control routes allows a malicious site to trigger unauthorized state changes (tab open, browser control, cookie/storage mutation) when the victim visits the page; this directly enables drive-by compromise without needing remote network access to the service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger…

unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.

Deeper analysisAI

CVE-2026-26317 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability resides in browser-facing localhost mutation routes that accept cross-origin browser requests without explicit Origin or Referer validation. Bound to loopback, these routes reduce remote exposure but fail to block browser-initiated requests from malicious origins, enabling cross-site request forgery (CWE-352). The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L), indicating high integrity and low availability impact.

A malicious website can exploit this vulnerability when a victim visits the site with OpenClaw's browser control service reachable on loopback in their browser context. No privileges are required, but user interaction is needed to load the attacker's page. Successful exploitation allows unauthorized state changes to the victim's local OpenClaw browser control plane, such as opening tabs, starting or stopping the browser, or mutating storage and cookies.

The patch in OpenClaw version 2026.2.14 rejects mutating HTTP methods (POST, PUT, PATCH, DELETE) if the request shows a non-loopback Origin or Referer, or a Sec-Fetch-Site: cross-site header. Additional mitigations recommended in advisories include enabling browser control authentication via token or password and avoiding operation with authentication disabled. Relevant resources include the fixing commit at https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3, release notes at https://github.com/openclaw/openclaw/releases/tag/v2026.2.14, and the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q.

Details

CWE(s): CWE-352

Affected Products

openclaw

≤ 2026.2.14

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-41347Same product: Openclaw Openclaw

CVE-2026-28477Same product: Openclaw Openclaw

CVE-2026-26324Same product: Openclaw Openclaw

CVE-2026-26316Same product: Openclaw Openclaw

CVE-2026-26322Same product: Openclaw Openclaw

CVE-2026-30741Same product: Openclaw Openclaw

CVE-2026-26323Same product: Openclaw Openclaw

CVE-2026-32015Same product: Openclaw Openclaw

CVE-2026-24763Same product: Openclaw Openclaw

CVE-2026-41349Same product: Openclaw Openclaw

References

https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
Patch · security-advisories@github.com
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Release Notes · security-advisories@github.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q
Patch, Vendor Advisory · security-advisories@github.com