Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.5

OpenClaw Sandbox Browser Bridge Allows Local Privilege Escalation

CVE-2026-28468 GHSA-h9g4-589h-68xv
Summary

OpenClaw versions 2026.1.29-beta.1 to 2026.2.14 have a security flaw that lets a local attacker access sensitive browser data. This means a nearby user could potentially steal or manipulate information from other users who are logged in. To stay secure, update to version 2026.2.14 or later.

What to do
  • Update steipete openclaw to version 2026.2.14.
Affected software
VendorProductAffected versionsFix available
steipete openclaw > 2026.1.29-beta.1 , <= 2026.2.14 2026.2.14
openclaw openclaw > 2026.1.29 , <= 2026.2.14 –
Original title
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing lo...
Original description
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.
nvd CVSS3.1 7.7
nvd CVSS4.0 8.5
Vulnerability type
CWE-306 Missing Authentication for Critical Function
Published: 5 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026