7 matches found
CVE-2026-28458
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...
EUVD-2026-9906
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...
CVE-2026-28458 OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...
CVE-2026-28458
Summary: OpenClaw’s Browser Relay /cdp WebSocket endpoint did not require an authentication token, allowing loopback connections to access sensitive data. Affected versions are OpenClaw 2026.1.20 up to 2026.2.0; the endpoint is at ws://127.0.0.1:18792/cdp. An attacker could steal session cookies ...
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...
GHSA-MR32-VWC2-5J6H OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...
PT-2026-23535
Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.0 moltbot versions 0.1.0 and earlier Description The Browser Relay /cdp WebSocket endpoint did not require authentication, allowing websites to connect via loopback and access sensitive data. Attacker...