CVE-2026-26317
Published: 19 February 2026
Summary
CVE-2026-26317 is a high-severity CSRF (CWE-352) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
CVE-2026-26317 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability resides in browser-facing localhost mutation routes that accept cross-origin browser requests without explicit Origin or Referer validation. Bound to loopback, these routes reduce remote exposure but fail to block browser-initiated requests from malicious origins, enabling cross-site request forgery (CWE-352). The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L), indicating high integrity and low availability impact.
A malicious website can exploit this vulnerability when a victim visits the site with OpenClaw's browser control service reachable on loopback in their browser context. No privileges are required, but user interaction is needed to load the attacker's page. Successful exploitation allows unauthorized state changes to the victim's local OpenClaw browser control plane, such as opening tabs, starting or stopping the browser, or mutating storage and cookies.
The patch in OpenClaw version 2026.2.14 rejects mutating HTTP methods (POST, PUT, PATCH, DELETE) if the request shows a non-loopback Origin or Referer, or a Sec-Fetch-Site: cross-site header. Additional mitigations recommended in advisories include enabling browser control authentication via token or password and avoiding operation with authentication disabled. Relevant resources include the fixing commit at https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3, release notes at https://github.com/openclaw/openclaw/releases/tag/v2026.2.14, and the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8433
Vulnerability details
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger…
more
unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF on localhost browser-control routes allows a malicious site to trigger unauthorized state changes (tab open, browser control, cookie/storage mutation) when the victim visits the page; this directly enables drive-by compromise without needing remote network access to the service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions on mutating localhost routes by rejecting requests whose Origin/Referer or Sec-Fetch-Site indicate a cross-site browser context.
Requires identification and authentication of the browser-control service before accepting state-changing requests, mitigating the vulnerability when auth is enabled.
Validates Origin, Referer, and Sec-Fetch-Site headers on incoming HTTP requests to block unauthorized cross-origin mutations.