CVE-2026-43581
CRITICALOpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding
Title source: cnaDescription
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-525j-hqq2-66r4)
https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/fbf11ebdb7110632f93926d0ac7b48f04cb44d77
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding
https://www.vulncheck.com/advisories/openclaw-chrome-devtools-protocol-exposure-via-overly-broad-cdp-relay-binding
Scores
CVSS v3
9.6
EPSS
0.0002
EPSS Percentile
5.9%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1188
Status
published
Products (3)
OpenClaw/OpenClaw
< 2026.4.10
openclaw/openclaw
< 2026.4.10
OpenClaw/OpenClaw
2026.4.10
Published
May 06, 2026
Tracked Since
May 07, 2026