Improper access control in OpenClaw - CVE-2026-28395
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose limited information and cause a denial of service.
The vulnerability exists due to improper access control in ensureChromeExtensionRelayServer when handling a wildcard cdpUrl. A remote attacker can send requests to exposed relay HTTP endpoints to disclose limited information and cause a denial of service.
The issue occurs when the relay HTTP/WS server is bound to all interfaces because wildcard hosts are treated as loopback.