The Chrome extension relay (ensureChromeExtensionRelayServer) previously treated wildcard hosts (0.0.0.0 / ::) as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed.
If configured with a wildcard cdpUrl, relay HTTP endpoints could become reachable off-host, leaking service presence/port and enabling DoS/brute-force traffic against the relay token header.
openclaw (npm)>= 2026.1.14-1 < 2026.2.12>= 2026.2.12 (released 2026-02-13)/json* auth and /cdp token checks landed in:Thanks @qi-scape for reporting.
| Score | Percentile |
|---|---|
| 0.20% | 41.51% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| 6.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-qw99-grcx-4pvm ↗ |
| CVE | CVE-2026-28395 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | >= 2026.1.14-1, < 2026.2.12 | 2026.2.12 | — |