Missing Authentication for Critical Function in OpenClaw - CVE-2026-28458
Published: May 4, 2026
Vulnerability identifier: #VU129499
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28458
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and execute arbitrary script in the context of other open tabs.
The vulnerability exists due to improper access control in the Browser Relay /cdp WebSocket endpoint when handling browser-initiated loopback WebSocket connections. A remote attacker can connect to the local relay from a website and use Chrome DevTools Protocol messages to disclose sensitive information and execute arbitrary script in the context of other open tabs.
Exploitation requires the Browser Relay extension to be installed and active, and the victim must visit an untrusted site.
How to mitigate CVE-2026-28458
Install security update from vendor's website.