anonhaven
Ad

CVE-2026-28468

HIGH CVSS 4.0: 8.5 EPSS 0.02%
Updated Mar 06, 2026
OpenClaw
Parameter Value
CVSS 8.5 (HIGH)
Affected Versions before 2026.2.14
Type CWE-306 (Missing Authentication for Critical Function (Отсутствие аутентификации))
Vendor OpenClaw
Public PoC No

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.

Attack Parameters

Attack Vector
Local
Нужен локальный доступ
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
High
Полная утечка данных
Integrity
High
Полная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-306 Missing Authentication for Critical Function (Отсутствие аутентификации)

References 5

https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab0…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01c…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db95194…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-beta-authentication-bypass-in-san…
disclosure@vulncheck.com
Share Post Share Share Share