CVE-2026-43581

CRITICAL CVSS 9.6 View on NVD ↗

Description

OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

openclaw/openclaw

References

https://github.com/openclaw/openclaw/commit/fbf11ebdb7110632f93926d0ac7b48f04cb44d77
https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4
https://www.vulncheck.com/advisories/openclaw-chrome-devtools-protocol-exposure-via-overly-broad-cdp-relay-binding

Published: May 06, 2026 20:16 UTC Modified: May 07, 2026 14:41 UTC