{"id":"CVE-2026-28458","details":"OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.","aliases":["GHSA-mr32-vwc2-5j6h"],"modified":"2026-04-02T13:22:11.597650Z","published":"2026-03-05T22:16:18.457Z","references":[{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-relay-cdp-websocket-endpoint"},{"type":"ADVISORY","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h"},{"type":"FIX","url":"https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openclaw/openclaw","events":[{"introduced":"9a14267dfa5238188a30636bd60eed08f05a7255"},{"fixed":"d842b28a1517f95aae2a5bcd97f2f726e42b93d8"},{"fixed":"a1e89afcc19efd641c02b24d66d689f181ae2b5c"}],"database_specific":{"versions":[{"introduced":"2026.1.20"},{"fixed":"2026.2.1"}]}}],"versions":["v2026.1.20","v2026.1.21","v2026.1.22","v2026.1.23","v2026.1.24","v2026.1.24-1","v2026.1.29","v2026.1.30"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28458.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}]}