Login Sign Up

CVE-2026-28468

7.7 HIGH
Authentication Bypass

📋 TL;DR

OpenClaw sandbox browser bridge server accepts requests without gateway authentication, allowing local attackers to access browser control endpoints. This enables enumeration of tabs, retrieval of WebSocket URLs, JavaScript execution, and exfiltration of cookies/session data from authenticated browser contexts. Affects OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14.

💻 Affected Systems

Products:
  • OpenClaw
Versions: 2026.1.29-beta.1 to versions prior to 2026.2.14
Operating Systems: All platforms running OpenClaw
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the sandbox browser bridge server component. Requires OpenClaw to be running with browser bridge functionality enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full control over browser sessions, steals authentication tokens and sensitive data, executes arbitrary JavaScript in authenticated contexts, and potentially pivots to other systems using stolen credentials.

🟠

Likely Case

Local attacker enumerates browser tabs, extracts session cookies and authentication data, and executes JavaScript in browser contexts to steal sensitive information or perform actions as the authenticated user.

🟢

If Mitigated

With proper authentication controls, only authorized users can access browser control endpoints, preventing unauthorized access to browser sessions and data.

🌐 Internet-Facing: LOW - Vulnerability requires local access to the system running OpenClaw.
🏢 Internal Only: HIGH - Local attackers on the same system can exploit this to access sensitive browser data and execute code in browser contexts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires local access to the system but no authentication. Simple HTTP requests to the vulnerable endpoints can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14 and later

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv

Restart Required: Yes

Instructions:

1. Update OpenClaw to version 2026.2.14 or later. 2. Restart the OpenClaw service. 3. Verify the update by checking the version.

🔧 Temporary Workarounds

Disable sandbox browser bridge server

linux

Temporarily disable the vulnerable component until patching is possible

systemctl stop openclaw-browser-bridge
killall openclaw-browser-bridge

Implement network isolation

linux

Restrict access to the browser bridge server port using firewall rules

iptables -A INPUT -p tcp --dport [BRIDGE_PORT] -j DROP
ufw deny [BRIDGE_PORT]

🧯 If You Can't Patch

  • Isolate systems running vulnerable OpenClaw versions from other critical systems
  • Implement strict local access controls and monitoring on affected systems

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version: if version is between 2026.1.29-beta.1 and 2026.2.13 (inclusive), system is vulnerable. Test by attempting to access browser bridge endpoints without authentication.

Check Version:

openclaw --version

Verify Fix Applied:

Verify OpenClaw version is 2026.2.14 or later. Test that browser bridge endpoints now require proper authentication.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access attempts to browser bridge endpoints
  • Unusual JavaScript execution events from browser bridge
  • Multiple tab enumeration requests from localhost

Network Indicators:

  • HTTP requests to browser bridge endpoints without authentication headers
  • Unusual WebSocket connections initiated from browser bridge server

SIEM Query:

source="openclaw.log" AND ("authentication failed" OR "unauthorized access" OR "browser bridge")

📊 Metadata

CVE ID: CVE-2026-28468
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-306
Published: March 5, 2026
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28468, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)