CVE-2026-28395 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
OpenClaw - Misconfiguration
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
OpenClaw < 2026.2.12 contains an improper network binding vulnerability in the Chrome extension relay server caused by treating wildcard hosts as loopback addresses, letting remote attackers access relay HTTP endpoints and conduct DoS or brute-force attacks, exploit requires Chrome extension installed and enabled.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can leak service information and perform denial-of-service or brute-force attacks on the relay server.
Mitigation
Update to version 2026.2.12 or later.
References
- https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm
- https://www.vulncheck.com/advisories/openclaw-unintended-public-binding-of-chrome-extension-relay-via-wildcard-cdpurl
- https://github.com/openclaw/openclaw/commit/8d75a496bf5aaab1755c56cf48502d967c75a1d0
Related Resources
Details
- CVE ID
- CVE-2026-28395
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- misconfiguration
- Status
- new
CWE
- CWE-1327
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H