HIGHCVE-2026-28468Published Modified CNA VulnCheck
CVE-2026-28468: OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge Server
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.
Metrics
- CVSS v4.0
- 8.5
- Severity
- HIGH
- Fixed in
- 2026.2.14
- Affected Products
- 1
Affected packages
- OpenClaw / OpenClaw< 2026.2.14 (from 2026.1.29-beta.1)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N