CVE-2026-28458

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28458

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28458.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28458

Aliases

GHSA-mr32-vwc2-5j6h

Published

2026-03-05T22:16:18.457Z

Modified

2026-04-02T13:22:11.597650Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

9a14267dfa5238188a30636bd60eed08f05a7255

Fixed

d842b28a1517f95aae2a5bcd97f2f726e42b93d8

Fixed

a1e89afcc19efd641c02b24d66d689f181ae2b5c

Database specific

{
    "versions": [
        {
            "introduced": "2026.1.20"
        },
        {
            "fixed": "2026.2.1"
        }
    ]
}

Affected versions

v2026.*

v2026.1.20

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28458.json"