CVE-2026-32041

low-risk
Published 2026-03-19

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.9/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Affected Vendors

Openclaw

References (2)

Vendor Advisory https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw
Third Party Advisory https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-ac...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal