GHSA-H9G4-589H-68XV

Vulnerability from github – Published: 2026-02-18 17:45 – Updated: 2026-03-05 21:50
VLAI?
Summary
OpenClaw has an authentication bypass in sandbox browser bridge server
Details

Summary

openclaw could start the sandbox browser bridge server without authentication.

When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles, /tabs, /tabs/open, /agent/*). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.

Impact

A local attacker (any process on the same machine) could access the bridge server port and:

  • enumerate open tabs and retrieve CDP WebSocket URLs
  • open/close/navigate tabs
  • execute JavaScript in page contexts via CDP
  • exfiltrate cookies/session data and page contents from authenticated sessions

This is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage.

Affected Versions

  • Introduced in: 2026.1.29-beta.1 (first npm release that shipped the sandbox browser bridge)
  • Affected range: >=2026.1.29-beta.1 <2026.2.14

Patched Versions

  • 2026.2.14

Mitigation

  • Upgrade to 2026.2.14 (recommended).
  • Or disable the sandboxed browser (agents.defaults.sandbox.browser.enabled=false).

Fix Details

  • The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use.
  • Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback.
  • Added regression tests (including unit coverage for per-port bridge auth fallback).

Fix commits:

  • openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0
  • openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3
  • openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67

Credits

Thanks to Adnan Jakati (@jackhax) of Praetorian for reporting this issue.

Severity ?
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.29-beta.1"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T17:45:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nopenclaw could start the sandbox browser bridge server without authentication.\n\nWhen the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example `/profiles`, `/tabs`, `/tabs/open`, `/agent/*`). Due to missing auth wiring in the sandbox initialization path, that bridge server accepted requests without requiring gateway auth.\n\n## Impact\n\nA local attacker (any process on the same machine) could access the bridge server port and:\n\n- enumerate open tabs and retrieve CDP WebSocket URLs\n- open/close/navigate tabs\n- execute JavaScript in page contexts via CDP\n- exfiltrate cookies/session data and page contents from authenticated sessions\n\nThis is a localhost-only exposure (CVSS AV:L), but provides full browser-session compromise for sandboxed browser usage.\n\n## Affected Versions\n\n- Introduced in: `2026.1.29-beta.1` (first npm release that shipped the sandbox browser bridge)\n- Affected range: `\u003e=2026.1.29-beta.1 \u003c2026.2.14`\n\n## Patched Versions\n\n- `2026.2.14`\n\n## Mitigation\n\n- Upgrade to `2026.2.14` (recommended).\n- Or disable the sandboxed browser (`agents.defaults.sandbox.browser.enabled=false`).\n\n## Fix Details\n\n- The sandbox browser bridge server now always requires auth and enforces the same gateway browser control auth (token/password) that loopback browser clients already use.\n- Additional hardening: bridge server refuses non-loopback binds; local helper servers are bound to loopback.\n- Added regression tests (including unit coverage for per-port bridge auth fallback).\n\nFix commits:\n\n- openclaw/openclaw@4711a943e30bc58016247152ba06472dab09d0b0\n- openclaw/openclaw@6dd6bce997c48752134f2d6ed89b27de01ced7e3\n- openclaw/openclaw@cd84885a4ac78eadb7bf321aae98db9519426d67\n## Credits\n\nThanks to Adnan Jakati (@jackhax) of [Praetorian](https://www.praetorian.com/) for reporting this issue.",
  "id": "GHSA-h9g4-589h-68xv",
  "modified": "2026-03-05T21:50:00Z",
  "published": "2026-02-18T17:45:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01ced7e3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db9519426d67"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has an authentication bypass in sandbox browser bridge server"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.