CVE-2026-32041: OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

March 2, 2026 (updated March 20, 2026)

When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

References

github.com/advisories/GHSA-vpj2-69hf-rppw
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw
nvd.nist.gov/vuln/detail/CVE-2026-32041
www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap

Code Behaviors & Features

Detect and mitigate CVE-2026-32041 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →