CVE-2026-43581
Improper Network Binding in OpenClaw Sandbox Browser CDP Relay
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.4.10 and involves an improper network binding in the sandbox browser CDP relay. Specifically, the Chrome DevTools Protocol (CDP) is exposed on the IP address 0.0.0.0, which means it is accessible from outside the intended local sandbox boundaries. This overly broad binding configuration allows attackers to access the DevTools protocol remotely, which should normally be restricted.
How can this vulnerability impact me? :
Because the Chrome DevTools Protocol is exposed beyond its intended local sandbox, attackers can remotely interact with the browser's debugging interface. This can lead to unauthorized access, manipulation, or control of the browser environment, potentially allowing attackers to execute malicious actions, steal sensitive information, or disrupt normal operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenClaw exposes the Chrome DevTools Protocol on all network interfaces, allowing attackers to access it outside the intended sandbox boundaries. This unauthorized access could potentially lead to data exposure or unauthorized control.
Such exposure of sensitive data or unauthorized access could impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls on data access and protection against unauthorized disclosure.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Chrome DevTools Protocol (CDP) relay being exposed on all network interfaces (0.0.0.0) instead of being restricted to local access. To detect this on your network or system, you can check for services listening on the CDP port bound to 0.0.0.0.
- Use network scanning commands such as: netstat -tuln | grep <CDP_port> to see if the CDP port is listening on 0.0.0.0.
- Use ss -tuln | grep <CDP_port> to identify listening sockets on all interfaces.
- Use nmap from a remote machine to scan the target system's CDP port to check if it is accessible externally.
Replace <CDP_port> with the actual port number used by the OpenClaw sandbox browser CDP relay.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed in OpenClaw version 2026.4.10 by enforcing CDP source-range restriction by default.
- Immediately upgrade OpenClaw to version 2026.4.10 or later to apply the patch that restricts the CDP relay binding.
- If upgrading is not immediately possible, restrict network access to the CDP port by firewall rules to allow only trusted local connections.
- Monitor network traffic and logs for any unauthorized access attempts to the CDP port.