GHSA-mr32-vwc2-5j6h: OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

February 17, 2026

In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs.

References

github.com/advisories/GHSA-mr32-vwc2-5j6h
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c
github.com/openclaw/openclaw/releases/tag/v2026.2.1
github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h

Code Behaviors & Features

Detect and mitigate GHSA-mr32-vwc2-5j6h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →