CVE-2026-28395

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.14-1 through 2026.2.11

Description The software contains an improper network binding issue in the Chrome extension relay server. The server incorrectly handles wildcard hosts, treating them as loopback addresses. This allows the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can potentially access relay HTTP endpoints from outside the intended network, which could expose service presence and port information. This could also enable denial-of-service and brute-force attacks against the relay token header. The vulnerable component is the Chrome extension relay server, specifically the ensureChromeExtensionRelayServer function. The cdpUrl variable is a key factor in triggering this issue.

Recommendations Update to version 2026.2.12 or later.