Description
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openclaw-unintended-public-binding-of-chrome-extension-relay-via-wildcard-cdpurl
Scores
CVSS v3
6.5
EPSS
0.0020
EPSS Percentile
41.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1327
Status
published
Products (2)
npm/openclaw
2026.1.14-1 - 2026.2.12npm
openclaw/openclaw
2026.1.14-1 - 2026.2.12
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026