CVE-2026-28468
Received Received - Intake
Unauthorized Access in OpenClaw Sandbox Browser Bridge Server

Publication date: 2026-03-05

Last updated on: 2026-03-11

Assigner: VulnCheck

Description
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28468
EUVD
EUVD-2026-9914
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.29 (inc) to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14, specifically in the sandbox browser bridge server. The server accepts requests without requiring gateway authentication, which allows local attackers to access browser control endpoints.

A local attacker exploiting this vulnerability can enumerate browser tabs, retrieve WebSocket URLs, execute JavaScript code, and exfiltrate cookies and session data from authenticated browser contexts.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access to browser control features by local attackers.

  • Attackers can enumerate open browser tabs.
  • Attackers can retrieve WebSocket URLs used by the browser.
  • Attackers can execute arbitrary JavaScript code within the browser context.
  • Attackers can exfiltrate cookies and session data from authenticated browser sessions, potentially leading to session hijacking or data theft.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28468. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart