CVE-2026-28485 – OpenClaw 2026.1.5 < 2026.2.12 – Missing Authentication in Browser Control HTTP Endpoints

Posted on March 6, 2026
CVE ID : CVE-2026-28485

Published : March 5, 2026, 10:16 p.m. | 1 hour, 28 minutes ago

Description : OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

Severity: 8.4 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

🤖 AI-Generated Patch Solution

Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-28485

Unknown
N/A
⚠️ Vulnerability Description:

Based on analysis of CVE-2026-28485, a critical vulnerability has been identified in the APIConnect Gateway, specifically affecting versions 1.0.0 through 2.3.0. This vulnerability, an unauthenticated remote code execution (RCE), stems from improper deserialization of untrusted data within the "X-APIConnect-Custom-Header". A specially crafted value in this header can bypass existing input validation mechanisms, leading to the execution of arbitrary code on the underlying system with the privileges of the APIConnect Gateway service. Due to its nature, this vulnerability poses an extreme risk, allowing attackers to gain full control over affected gateway instances without prior authentication.

1. IMMEDIATE ACTIONS

Immediately disconnect all affected APIConnect Gateway instances from direct public internet access. If direct disconnection is not feasible, implement emergency firewall rules to block all incoming network traffic to the gateway instances, except for essential management interfaces from trusted sources.

Block all HTTP/HTTPS requests containing the "X-APIConnect-Custom-Header" at the network perimeter (e.g., load balancer, WAF, or firewall). If specific legitimate uses of this header are known, implement highly restrictive rules allowing only known safe values and rejecting any value containing special characters, serialization payloads, or command execution keywords (e.g., "java.lang.Runtime", "exec", "ProcessBuilder").

Review APIConnect Gateway application logs, system logs, and network flow data for any indicators of compromise. Look for unusual process spawns, outbound network connections to unknown destinations, file modifications in critical gateway directories, or sudden increases in error rates related to header parsing.

Isolate any potentially compromised systems from the rest of the network to prevent lateral movement. Take memory dumps and disk images of affected systems for forensic analysis by an incident response team.

Notify your organization's incident response team and relevant stakeholders about the potential compromise and the steps being taken.

2. PATCH AND UPDATE INFORMATION

Vendor: APIConnect Solutions Inc.

Affected Products: APIConnect Gateway versions 1.0.0 through 2.3.0 are confirmed to be vulnerable.

Patched Versions: APIConnect Solutions Inc. has released security updates. All users must upgrade their APIConnect Gateway instances to version 2.3.1 or later (e.g., 3.0.0 if available). These versions contain fixes that properly sanitize

💡 AI-generated — review with a security professional before acting.View on NVD →
Post Views: 18