CVE-2026-41347 LOW

CVE-2026-41347: OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints

Vendor Openclaw
Product OpenClaw
Weakness CWE-352 · CSRF
Published April 23, 2026
Last update April 25, 2026
View on NVD All CVEs

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-31293 WordPress Easy Digital Downloads plugin <= 3.2.6 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-59892 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server CVE-2024-48038 WordPress wp-Monalisa plugin <= 6.4 - Cross Site Request Forgery (CSRF) vulnerability CVE-2026-40703 BIG-IP Configuration utility CSRF vulnerability CVE-2025-39415 WordPress Social Media Links plugin <= 1.0.3 - CSRF to Stored XSS vulnerability