Cyber Resilience

CVE-2026-26317

High

Published: 19 February 2026

Published
19 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
EPSS Score 0.0002 5.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26317 is a high-severity CSRF (CWE-352) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-26317 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability resides in browser-facing localhost mutation routes that accept cross-origin browser requests without explicit Origin or Referer validation. Bound to loopback, these routes reduce remote exposure but fail to block browser-initiated requests from malicious origins, enabling cross-site request forgery (CWE-352). The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L), indicating high integrity and low availability impact.

A malicious website can exploit this vulnerability when a victim visits the site with OpenClaw's browser control service reachable on loopback in their browser context. No privileges are required, but user interaction is needed to load the attacker's page. Successful exploitation allows unauthorized state changes to the victim's local OpenClaw browser control plane, such as opening tabs, starting or stopping the browser, or mutating storage and cookies.

The patch in OpenClaw version 2026.2.14 rejects mutating HTTP methods (POST, PUT, PATCH, DELETE) if the request shows a non-loopback Origin or Referer, or a Sec-Fetch-Site: cross-site header. Additional mitigations recommended in advisories include enabling browser control authentication via token or password and avoiding operation with authentication disabled. Relevant resources include the fixing commit at https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3, release notes at https://github.com/openclaw/openclaw/releases/tag/v2026.2.14, and the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q.

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger…

more

unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

CSRF on localhost browser-control routes allows a malicious site to trigger unauthorized state changes (tab open, browser control, cookie/storage mutation) when the victim visits the page; this directly enables drive-by compromise without needing remote network access to the service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28477Same product: Openclaw Openclaw
CVE-2026-41347Same product: Openclaw Openclaw
CVE-2026-32302Same product: Openclaw Openclaw
CVE-2026-26323Same product: Openclaw Openclaw
CVE-2026-41349Same product: Openclaw Openclaw
CVE-2026-26322Same product: Openclaw Openclaw
CVE-2026-26316Same product: Openclaw Openclaw
CVE-2026-26321Same product: Openclaw Openclaw
CVE-2026-32025Same product: Openclaw Openclaw
CVE-2026-26325Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions on mutating localhost routes by rejecting requests whose Origin/Referer or Sec-Fetch-Site indicate a cross-site browser context.

prevent

Requires identification and authentication of the browser-control service before accepting state-changing requests, mitigating the vulnerability when auth is enabled.

prevent

Validates Origin, Referer, and Sec-Fetch-Site headers on incoming HTTP requests to block unauthorized cross-origin mutations.

References