Cyber Posture

CVE-2026-28468

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 7.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28468 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Information Discovery (T1217); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Information Discovery (T1217) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-9 Service Identification and Authentication good match
prevent

IA-9 requires the sandbox browser bridge server to identify and authenticate connecting clients or processes before accepting requests, directly countering the missing gateway authentication vulnerability.

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of approved authorizations for access to system resources like browser control endpoints, preventing unauthenticated local attacker access.

SI-2 Flaw Remediation good match
preventrecover

SI-2 ensures timely identification, reporting, and patching of flaws such as the authentication bypass in OpenClaw versions prior to 2026.2.14, mitigating exploitation through software updates.

MITRE ATT&CK Enterprise TechniquesAI

T1217 Browser Information Discovery Discovery
Adversaries may enumerate information about browsers to learn more about compromised environments.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1555.003 Credentials from Web Browsers Credential Access
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
attack.mitre.org →
Why these techniques?

Missing authentication on browser bridge endpoints directly enables local unauthorized tab enumeration and URL discovery (T1217), JavaScript execution in browser contexts (T1059.007), browser session hijacking (T1185), stealing web session cookies (T1539), and harvesting credentials from web browsers (T1555.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket…

more

URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.

Deeper analysisAI

CVE-2026-28468 affects OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14, specifically in the sandbox browser bridge server component. The vulnerability stems from the server accepting requests without requiring gateway authentication, which exposes browser control endpoints. Assigned CWE-306 (Missing Authentication for Critical Function), it has a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts from local access.

Local attackers with access to the system can exploit this without privileges or user interaction. They gain unauthorized access to browser control endpoints, enabling tab enumeration, retrieval of WebSocket URLs, JavaScript execution, and exfiltration of cookies and session data from authenticated browser contexts.

Mitigation involves updating to OpenClaw version 2026.2.14 or later, as indicated by the affected version range. Relevant GitHub commits (4711a943e30bc58016247152ba06472dab09d0b0, 6dd6bce997c48752134f2d6ed89b27de01ced7e3, cd84885a4ac78eadb7bf321aae98db9519426d67) address the issue, alongside advisories at GHSA-h9g4-589h-68xv and vulncheck.com detailing the authentication bypass in the sandbox browser bridge server.

Details

CWE(s)
CWE-306

Affected Products

openclaw
openclaw
2026.1.29 — 2026.2.14

CVEs Like This One

CVE-2026-32041Same product: Openclaw Openclaw
CVE-2026-28485Same product: Openclaw Openclaw
CVE-2026-28458Same product: Openclaw Openclaw
CVE-2026-28472Same product: Openclaw Openclaw
CVE-2026-32064Same product: Openclaw Openclaw
CVE-2026-28450Same product: Openclaw Openclaw
CVE-2026-26319Same product: Openclaw Openclaw
CVE-2026-32978Same product: Openclaw Openclaw
CVE-2026-28456Same product: Openclaw Openclaw
CVE-2026-42431Same product: Openclaw Openclaw

References