wid-sec-w-2026-0557 · Published 2026-03-01 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.

CVEs (7)

CVE-2026-28461 CVE-2026-31989 CVE-2026-32041 CVE-2026-32048 CVE-2026-32051 CVE-2026-32066 CVE-2026-32902

Affected Vendors

Open Source

Affected Products (2)

Open Source · OpenClaw <2026.3.1

Open Source · OpenClaw 2026.3.1

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more