GHSA-vpj2-69hf-rppw

Source

https://github.com/advisories/GHSA-vpj2-69hf-rppw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vpj2-69hf-rppw/GHSA-vpj2-69hf-rppw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vpj2-69hf-rppw

Aliases

CVE-2026-32041

Downstream

MINI-cx3q-rqhf-chqw

Published

2026-03-02T21:49:14Z

Modified

2026-03-30T13:34:57.301743Z

Severity

6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
7.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure

Details

Summary

When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

Impact

On affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth.

Fix

Startup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts.

Affected and Patched Versions

Affected: <= 2026.2.26
Patched: 2026.3.1

Database specific

{
    "nvd_published_at": "2026-03-19T22:16:40Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ],
    "github_reviewed_at": "2026-03-02T21:49:14Z"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.3.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vpj2-69hf-rppw/GHSA-vpj2-69hf-rppw.json"