CVE-2026-28395
Published: 05 March 2026
Summary
CVE-2026-28395 is a medium-severity Binding to an Unrestricted IP Address (CWE-1327) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper network binding flaw by requiring timely identification, reporting, and correction through patching to the fixed OpenClaw version 2026.2.12.
Prevents remote attackers from accessing exposed relay HTTP/WS endpoints by monitoring and controlling communications at system boundaries.
Mitigates misconfiguration risks by establishing and enforcing secure configuration settings that restrict network service bindings to loopback interfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes relay server to remote access (PR:N), directly enabling network service discovery through detection of presence/ports (T1046), brute-force on relay token header (T1110), and denial-of-service against the relay (T1499).
NVD Description
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces…
more
when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.
Deeper analysisAI
CVE-2026-28395 is an improper network binding vulnerability (CWE-1327) affecting OpenClaw versions 2026.1.14-1 prior to 2026.2.12. The issue resides in the relay server of the Chrome extension, which must be installed and enabled. Specifically, the server incorrectly treats wildcard hosts as loopback addresses, causing the HTTP/WS relay server to bind to all network interfaces when a wildcard cdpUrl is configured. This has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).
Remote attackers can exploit this vulnerability without privileges by accessing the relay HTTP endpoints from off-host networks. Successful exploitation enables detection of the service's presence and exposed ports, partial information disclosure via leaked service details, denial-of-service attacks against the relay, and brute-force attempts on the relay token header.
Advisories and patch notes, including GitHub security advisory GHSA-qw99-grcx-4pvm and commits 8d75a496bf5aaab1755c56cf48502d967c75a1d0 and a1e89afcc19efd641c02b24d66d689f181ae2b5c, recommend upgrading to OpenClaw version 2026.2.12 or later, where the binding logic is fixed to properly restrict wildcard configurations to loopback interfaces only. The VulnCheck advisory further details the unintended public binding via wildcard cdpUrl.
Details
- CWE(s)