Missing Authentication for Critical Function in openclaw | CVE-2026-32041

Q: How to fix?

Upgrade openclaw to version 2026.3.1 or higher.

Introduced: 20 Mar 2026

NewCVE-2026-32041 (opens in a new tab) CWE-306 (opens in a new tab)

How to fix?

Upgrade openclaw to version 2026.3.1 or higher.

Overview

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to improper handling of authentication bootstrap errors during startup, which leaves browser-control routes accessible without authentication. An attacker can gain unauthorized access to sensitive browser-control actions, including those capable of code evaluation, by sending requests from local processes or exploiting loopback-reachable SSRF paths.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authentication for Critical Function Affecting openclaw package, versions <2026.3.1

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 20 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk