CVE-2026-28458: OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
(updated )
In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.
References
- github.com/advisories/GHSA-mr32-vwc2-5j6h
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c
- github.com/openclaw/openclaw/releases/tag/v2026.2.1
- github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h
- nvd.nist.gov/vuln/detail/CVE-2026-28458
- www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-relay-cdp-websocket-endpoint
Code Behaviors & Features
Detect and mitigate CVE-2026-28458 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →