CVE-2026-32041
MEDIUM6.9EPSS 0.02%OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
描述
### Summary When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication. ### Impact On affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth. ### Fix Startup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts. ### Affected and Patched Versions - Affected: `<= 2026.2.26` - Patched: `2026.3.1`
受影響套件(1)
- npm/openclawfrom 0, < 2026.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.9 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |