CVE-2026-32041
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
Description
### Summary When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication. ### Impact On affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth. ### Fix Startup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts. ### Affected and Patched Versions - Affected: `<= 2026.2.26` - Patched: `2026.3.1`
How to fix CVE-2026-32041
To remediate CVE-2026-32041, upgrade the affected package to a fixed version below.
- —upgrade to 2026.3.1 or later
Is CVE-2026-32041 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.9 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |