CVE-2026-28395 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
The vulnerability CVE-2026-28395 affects OpenClaw version 2026.1.14-1 and earlier, specifically within its Chrome extension relay server component. This issue represents a critical improper network binding flaw that stems from how the system handles wildcard host configurations. The vulnerability manifests when a wildcard cdpUrl is configured, causing the relay HTTP/WS server to bind to all network interfaces instead of restricting itself to loopback addresses as expected. This misconfiguration creates a fundamental security gap in the network stack implementation, allowing unauthorized access to internal services that should remain isolated. The flaw directly violates secure coding practices by failing to properly validate and sanitize network binding parameters, creating an attack surface that extends beyond intended boundaries.
The technical exploitation of this vulnerability occurs through the Chrome extension's relay server functionality, which requires the extension to be both installed and enabled for the attack to succeed. When attackers configure a wildcard cdpUrl, the system incorrectly treats this wildcard as a loopback address, enabling the HTTP/WS server to listen on all available network interfaces. This behavior creates multiple attack vectors including service presence enumeration, where remote adversaries can discover running services and their associated ports without proper authorization. The vulnerability specifically impacts the relay token header mechanism, making it susceptible to brute-force attacks that can systematically test authentication tokens. The improper binding allows attackers to conduct denial-of-service attacks against the relay server by overwhelming it with requests, potentially disrupting legitimate service operations. This issue can be classified under CWE-691 as an Insufficient Control Flow Management, where the system fails to properly control network access boundaries.
The operational impact of this vulnerability extends beyond simple information disclosure, creating a comprehensive attack surface that enables multiple threat vectors. Remote attackers can leverage this flaw to conduct reconnaissance activities, identifying open ports and running services that would normally be hidden from external access. The ability to access relay HTTP endpoints off-host fundamentally undermines the security model of the system, as it allows unauthorized parties to gain insights into internal network configurations and service availability. The vulnerability particularly affects organizations that rely on the Chrome extension for automated testing or monitoring functions, as it provides attackers with a direct pathway to exploit the relay infrastructure. The relay token header protection mechanism becomes ineffective when the underlying network binding is improperly configured, creating a cascading security failure that compromises both confidentiality and availability. This vulnerability aligns with ATT&CK technique T1046 Network Service Scanning and T1499 Endpoint Denial of Service, as it enables both reconnaissance and disruption capabilities.
Mitigation strategies for CVE-2026-28395 must address both the immediate configuration issue and implement broader security controls to prevent similar vulnerabilities. Organizations should immediately upgrade to OpenClaw version 2026.2.12 or later, which contains the necessary patch to properly handle wildcard host configurations. System administrators should review all wildcard cdpUrl configurations and replace them with specific hostnames or IP addresses to prevent automatic binding to all interfaces. Network segmentation controls should be implemented to isolate the relay server components from external access, ensuring that even if the vulnerability is exploited, the attack scope remains limited. The Chrome extension should be configured with strict permissions and monitoring to detect unauthorized access attempts. Security teams should implement network monitoring solutions that can detect unusual traffic patterns indicating port scanning or service enumeration activities. Regular security audits should verify that all network binding configurations follow secure defaults and that wildcard entries are properly validated. The implementation of principle of least privilege should be enforced on the relay server components to ensure that only necessary ports are exposed. Organizations should also consider implementing additional authentication layers and rate limiting mechanisms to protect against brute-force attacks targeting the relay token header. Compliance with security standards such as NIST SP 800-53 and ISO 27001 requires that such network binding vulnerabilities be identified and remediated through systematic vulnerability management processes.