CVE-2026-28485
Published: 05 March 2026
Summary
CVE-2026-28485 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly identifies and authorizes only specific actions without identification or authentication, directly mitigating the failure to enforce mandatory authentication on the privileged /agent/act HTTP route.
Enforces approved authorizations for logical access to information and system resources, preventing unauthorized local or local-network callers from invoking privileged browser operations.
Requires timely identification, reporting, and correction of system flaws, directly addressing the missing authentication vulnerability through patching to OpenClaw 2026.2.12 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on local HTTP browser-control endpoint enables remote service exploitation (T1210) for arbitrary browser-context execution and access to sensitive in-session data like browser credentials (T1555.003).
NVD Description
OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and…
more
access sensitive in-session data by sending requests to unauthenticated endpoints.
Deeper analysisAI
CVE-2026-28485 is a missing authentication vulnerability (CWE-306) in OpenClaw versions 2026.1.5 prior to 2026.2.12. The issue stems from a failure to enforce mandatory authentication on the /agent/act browser-control HTTP route, which allows unauthorized local callers to invoke privileged operations.
Local attackers, including remote attackers on the local network or local processes, can exploit this vulnerability by sending requests to unauthenticated endpoints. Successful exploitation enables execution of arbitrary browser-context actions and access to sensitive in-session data. The CVSS v3.1 base score is 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts with low complexity and no privileges required.
Mitigation requires upgrading to OpenClaw version 2026.2.12 or later. The patching commit is available at https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e0287f, with further details in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-control-http-endpoints.
Details
- CWE(s)