GHSA-525J-HQQ2-66R4 OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0

Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intende...

OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0

Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intende...

CVE-2026-32972

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist...

CVE-2026-22174

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the...

CVE-2026-22174

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the...

CVE-2026-22174

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the...

CVE-2026-22174 OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the...

GHSA-V3J7-34XH-6G3W OpenClaw Loopback CDP probe can leak Gateway token to local listener

Summary A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback. Details Affected versions inject x-openclaw-relay-token for loopback CDP URLs, and CDP reachability probes send that header to /json/version. If an attacker controls the probed loopback...

OpenClaw Loopback CDP probe can leak Gateway token to local listener

Summary A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback. Details Affected versions inject x-openclaw-relay-token for loopback CDP URLs, and CDP reachability probes send that header to /json/version. If an attacker controls the probed loopback...

PT-2026-26006

Summary A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback. Details Affected versions inject x-openclaw-relay-token for loopback CDP URLs, and CDP reachability probes send that header to /json/version. If an attacker controls the probed loopback...

OpenClaw has an authentication bypass in sandbox browser bridge server

Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local loopback HTTP bridge that exposes browser control endpoints for example /profiles, /tabs, /tabs/open, /agent/. Due to missing auth wiring in the...

EUVD-2018-10075

Malware in sbrugna...

SUSE CVE-2018-18344

Inappropriate allowance of the setDownloadBehavior devtools protocol feature in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker with control of an installed extension to access files on the local file system via a crafted Chrome Extension...

Fedora: Security Advisory for golang-github-chromedp-cdproto (FEDORA-2022-5038c3236c)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 36 Update: golang-github-chromedp-cdproto-0-0.9.20220719git285dfb4.fc36

Package cdproto contains the generated commands, types, and events for the Chrome DevTools Protocol domains...

Fedora: Security Advisory for golang-github-chromedp (FEDORA-2022-3969b64d4b)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: golang-github-chromedp-0.6.12-5.fc35

A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol...

Fedora: Security Advisory for golang-github-chromedp (FEDORA-2022-ba365d3703)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-github-chromedp-0.8.1-2.fc36

A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol...

Improper Access Control

chromium is vulnerable to improper access control. The vulnerability exists due to the inappropriate allowance of the setDownloadBehavior devtools protocol feature in extensions in Google Chrome, allowing an attacker with control of an installed extension to access files on the local file system...