CVE-2026-32041
Published: 19 March 2026
Summary
CVE-2026-32041 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly limits and documents permitted actions without identification or authentication, directly preventing exposure of unauthenticated browser-control routes due to failed auth bootstrap.
SI-11 ensures secure error handling during authentication bootstrap failures, avoiding the condition where critical routes remain accessible without credentials.
AC-3 enforces approved access authorizations, blocking unauthorized local or SSRF exploitation of browser-control routes lacking authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass (CWE-306) on browser-control/evaluate routes directly enables exploitation of the application for unauthenticated arbitrary operations (T1190); evaluate actions in browser context map to JavaScript command/script execution (T1059.007).
NVD Description
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid…
more
credentials.
Deeper analysisAI
CVE-2026-32041 is a vulnerability in OpenClaw versions prior to 2026.3.1 that results from improper handling of authentication bootstrap errors during startup, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows browser-control routes to remain accessible without authentication, even after failed bootstrap. The issue carries a CVSS v3.1 base score of 6.9 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating medium severity with high impacts on confidentiality and integrity.
Attackers with local access or the ability to reach loopback interfaces via SSRF can exploit this vulnerability without privileges. Exploitation involves targeting the unauthenticated browser-control routes, including evaluate-capable actions, to execute arbitrary operations without valid credentials. Successful attacks enable high-level data exposure and modification within the browser context, with low availability disruption.
Mitigation details are available in the official advisories: the OpenClaw GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap. Upgrading to OpenClaw version 2026.3.1 addresses the authentication handling defect.
Details
- CWE(s)