CVE-2026-28468: OpenClaw has an authentication bypass in sandbox browser bridge server
(updated )
openclaw could start the sandbox browser bridge server without authentication.
When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.
References
- github.com/advisories/GHSA-h9g4-589h-68xv
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0
- github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01ced7e3
- github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db9519426d67
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv
- nvd.nist.gov/vuln/detail/CVE-2026-28468
Code Behaviors & Features
Detect and mitigate CVE-2026-28468 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →