Missing Authentication for Critical Function in OpenClaw - CVE-2026-28468
Published: May 4, 2026
Vulnerability identifier: #VU129440
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28468
CWE-ID: CWE-306
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to compromise browser sessions and disclose sensitive information.
The vulnerability exists due to missing authentication in the sandbox browser bridge server when handling requests to browser control endpoints on the local loopback interface. A local user can send crafted HTTP requests to access browser control functions and compromise browser sessions and disclose sensitive information.
Only instances with the sandboxed browser enabled are vulnerable.
How to mitigate CVE-2026-28468
Install security update from vendor's website.