Description
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openclaw-unintended-public-binding-of-chrome-extension-relay-via-wildcard-cdpurl
Scores
CVSS v3
6.5
EPSS
0.0040
EPSS Percentile
31.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1327
Status
published
Products (3)
npm/openclaw
2026.1.14-1 - 2026.2.12npm
openclaw/openclaw
2026.1.14-1 - 2026.2.12
OpenClaw/OpenClaw
2026.1.14-1 - 2026.2.12
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026