CVE-2026-28395 OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl

OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension must be installed and enabled relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUr...

OpenClaw Loopback CDP probe can leak Gateway token to local listener

Summary A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback. Details Affected versions inject x-openclaw-relay-token for loopback CDP URLs, and CDP reachability probes send that header to /json/version. If an attacker controls the probed loopback...

GHSA-MR32-VWC2-5J6H OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...