Home / Vulnerability Intelligence / CVE-2026-28458

CVE-2026-28458 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 6, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.1 contains a broken authentication vulnerability in the Browser Relay /cdp WebSocket endpoint that does not require authentication tokens, letting attackers steal session cookies and execute JavaScript in other tabs, exploit requires the extension to be installed and enabled.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 4.6%(Probability of exploitation in next 30 days)

Impact

Attackers can steal session cookies and execute JavaScript in other browser tabs, leading to session hijacking and potential account compromise.

Mitigation

Update to version 2026.2.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🟠 CVE-2026-28458 - High (7.5) OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopb... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28458/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28458
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: new
EPSS: 4.6%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

4.6%Probability of exploitation in the next 30 days