CVE-2026-43581 Overview
CVE-2026-43581 is an improper network binding vulnerability in OpenClaw versions prior to 2026.4.10. The flaw resides in the sandbox browser Chrome DevTools Protocol (CDP) relay, which binds to 0.0.0.0 instead of a loopback interface. This overly broad binding exposes the CDP endpoint to any host reachable on the adjacent network. Attackers on the same local network segment can interact with Chrome DevTools Protocol and break out of the intended local sandbox boundary. The weakness is classified as [CWE-1188] Insecure Default Initialization of Resource.
Critical Impact
Adjacent network attackers can access the Chrome DevTools Protocol relay, enabling browser control, data theft, and code execution outside the intended sandbox boundary.
Affected Products
- OpenClaw versions before 2026.4.10
- OpenClaw sandbox browser CDP relay component
- Deployments exposing the CDP relay on adjacent network interfaces
Discovery Timeline
- 2026-05-06 - CVE-2026-43581 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43581
Vulnerability Analysis
The OpenClaw sandbox browser uses a CDP relay to broker Chrome DevTools Protocol traffic between the sandbox and the host process. The relay listener binds the socket to the wildcard address 0.0.0.0, which accepts connections on every network interface attached to the host. The intended design assumes the relay is reachable only through the local sandbox boundary on the loopback interface 127.0.0.1.
Chrome DevTools Protocol grants broad control over a browser instance. Operations include navigating to arbitrary URLs, executing JavaScript in page contexts, reading cookies and local storage, intercepting network traffic, and dumping memory. When the relay is exposed beyond loopback, any client that can reach the listening port can issue these CDP commands without authentication.
Root Cause
The root cause is an insecure default initialization of a network resource [CWE-1188]. The CDP relay socket is initialized with a wildcard bind address rather than a loopback-only address. No authentication, token check, or origin validation gates the WebSocket upgrade that CDP relies on. The fix in commit fbf11ebdb7110632f93926d0ac7b48f04cb44d77 constrains the binding to the local interface.
Attack Vector
Exploitation requires adjacent network access to a host running a vulnerable OpenClaw version. An attacker scans the local segment for the CDP relay port, connects to the WebSocket endpoint, and issues Page.navigate, Runtime.evaluate, or Network.getAllCookies commands. The attacker can pivot from browser control to credential theft, session hijacking, and execution of attacker-supplied JavaScript inside trusted origins loaded by the sandboxed browser.
No verified exploitation code is published. Refer to the GitHub Security Advisory GHSA-525j-hqq2-66r4 and the Vulncheck Advisory for technical details.
Detection Methods for CVE-2026-43581
Indicators of Compromise
- Listening sockets on non-loopback interfaces tied to the OpenClaw CDP relay process
- Inbound WebSocket connections to the relay port from hosts other than 127.0.0.1
- CDP method calls such as Runtime.evaluate, Page.navigate, or Network.getAllCookies originating from remote IP addresses
- Unexpected browser navigation events or JavaScript execution recorded in OpenClaw logs
Detection Strategies
- Run netstat -ano or ss -tlnp on hosts with OpenClaw to identify CDP relay sockets bound to 0.0.0.0
- Inspect packet captures for WebSocket upgrade requests carrying the /devtools/ URI path from non-local sources
- Correlate process telemetry that links the OpenClaw binary to inbound TCP connections from adjacent network ranges
Monitoring Recommendations
- Alert on any process spawned by OpenClaw that opens a listening socket on a non-loopback address
- Monitor for HTTP requests to /json/version and /json/list endpoints, which CDP clients use for discovery
- Track outbound connections from sandboxed browser sessions to domains not initiated by user activity
How to Mitigate CVE-2026-43581
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which applies the binding fix in commit fbf11ebdb7110632f93926d0ac7b48f04cb44d77
- Inventory all hosts running OpenClaw and confirm the CDP relay is not reachable from adjacent network segments
- Restrict access to the CDP relay port at the host firewall until the patch is deployed
Patch Information
The maintainers fixed the issue in OpenClaw 2026.4.10. The patch binds the CDP relay listener to the loopback interface only. Review the GitHub Commit and the GitHub Security Advisory GHSA-525j-hqq2-66r4 for code-level details.
Workarounds
- Configure host firewall rules to deny inbound traffic to the CDP relay port from any source other than 127.0.0.1
- Place affected hosts on isolated network segments where adjacent attackers cannot reach the relay port
- Disable the sandbox browser feature in OpenClaw if it is not required by the deployment
# Configuration example
# Linux: block inbound CDP relay traffic from non-loopback sources
iptables -A INPUT -p tcp --dport 9222 ! -s 127.0.0.1 -j DROP
# Verify the relay is bound only to loopback after upgrading
ss -tlnp | grep -E '127.0.0.1:9222|openclaw'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
