CVE-2026-28458

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...

OpenClaw < 2026.2.1 Authentication Bypass (GHSA-mp5h-m6qj-6292)

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.1. It is, therefore, affected by an authentication bypass vulnerability: - If channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without...