CVE-2026-28395

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28395

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28395.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28395

Aliases

GHSA-qw99-grcx-4pvm

Published

2026-03-05T22:16:16.173Z

Modified

2026-03-14T08:46:11.182983Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

8daab932a2a8691073ac282ee594498b5e6cc3c0

Fixed

d8d69ccbf464788a3ac0406b917d422ddf0dd84e

Fixed

8d75a496bf5aaab1755c56cf48502d967c75a1d0

Fixed

a1e89afcc19efd641c02b24d66d689f181ae2b5c

Database specific

{
    "versions": [
        {
            "introduced": "2026.1.14-1"
        },
        {
            "fixed": "2026.2.12"
        }
    ]
}

Affected versions

v2026.*

v2026.1.14-1

v2026.1.15

v2026.1.16-2

v2026.1.20

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

v2026.2.1

v2026.2.2

v2026.2.3

v2026.2.6

v2026.2.6-1

v2026.2.6-2

v2026.2.6-3

v2026.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28395.json"