CVE-2026-28458

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.0 moltbot versions 0.1.0 and earlier

Description The Browser Relay /cdp WebSocket endpoint did not require authentication, allowing websites to connect via loopback and access sensitive data. Attackers can connect to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs. Users must have the Browser Relay extension installed and active, and must visit an untrusted site for exploitation to occur. The vulnerable component exposes a local WebSocket endpoint for forwarding Chrome DevTools Protocol (CDP) messages. The /cdp upgrade path verified the TCP peer was loopback but did not require a shared secret and did not block browser-initiated cross-origin requests.

Recommendations Update to OpenClaw version 2026.2.1 or later. If you cannot update immediately, disable the Browser Relay extension or relay server and avoid visiting untrusted sites.