Home / Vulnerability Intelligence / CVE-2026-28485

CVE-2026-28485 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026

Overview

OpenClaw < 2026.2.12 contains a broken authentication caused by lack of mandatory authentication enforcement on /agent/act browser-control HTTP route, letting unauthorized local or network attackers execute privileged browser actions and access sensitive data, exploit requires local network or local process access.

Severity & Score

Severity: High

CVSS Score: 8.4

EPSS Score: 6.3%(Probability of exploitation in next 30 days)

Impact

Unauthorized attackers can execute privileged browser actions and access sensitive session data, risking data exposure and control over browser context.

Mitigation

Upgrade to version 2026.2.12 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🟠 CVE-2026-28485 - High (8.4) OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or loca... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28485/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28485
Severity: High
CVSS Score: 8.4
Type: broken_authentication
Status: new
EPSS: 6.3%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.3%Probability of exploitation in the next 30 days