Cross-site Request Forgery (CSRF) Affecting openclaw package, versions <2026.3.31-beta.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAW-15894787
- published5 Apr 2026
- disclosed3 Apr 2026
- creditUnknown
Introduced: 3 Apr 2026
New CVE NOT AVAILABLE CWE-346 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.3.31-beta.1 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the HTTP operator endpoints when running in trusted-proxy mode, as browser-origin validation is not enforced. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into visiting a malicious website that issues crafted requests to the affected endpoints. This is only exploitable if the deployment uses identity-bearing trusted-proxy browser configurations rather than the shared-secret HTTP operator model.