Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.4

OpenClaw Browser Relay allows unauthorized access to sensitive data

CVE-2026-28458 GHSA-mr32-vwc2-5j6h
Summary

A vulnerability in OpenClaw's Browser Relay feature allows attackers to access sensitive data from other browser tabs and steal session cookies. This affects OpenClaw version 2026.1.20 and earlier, only if the Browser Relay extension is installed and enabled. Update to OpenClaw 2026.2.1 or later to fix this issue.

What to do
  • Update steipete openclaw to version 2026.2.1.
Affected software
VendorProductAffected versionsFix available
steipete openclaw > 2026.1.20 , <= 2026.2.1 2026.2.1
consistent_lee moltbot <= 0.1.0
openclaw openclaw > 2026.1.20 , <= 2026.2.1
Original title
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authenticat...
Original description
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.
nvd CVSS3.1 8.1
nvd CVSS4.0 7.4
Vulnerability type
CWE-306 Missing Authentication for Critical Function
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026