CVE-2026-26317: OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
(updated )
Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins.
References
- github.com/advisories/GHSA-3fqr-4cg8-h96q
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q
- nvd.nist.gov/vuln/detail/CVE-2026-26317
Code Behaviors & Features
Detect and mitigate CVE-2026-26317 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →