Skip to main content

Chrome EUVDEUVD-2026-12716

| CVE-2026-22174 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-03-18 VulnCheck GHSA-v3j7-34xh-6g3w
5.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 18, 2026 - 02:30 euvd
EUVD-2026-12716
Analysis Generated
Mar 18, 2026 - 02:30 vuln.today
Patch released
Mar 18, 2026 - 02:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 01:34 nvd
MEDIUM 5.9

DescriptionCVE.org

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version endpoint and reuse the leaked token as Gateway bearer authentication.

AnalysisAI

OpenClaw Gateway versions prior to 2026.2.22 leak authentication tokens through Chrome DevTools Protocol (CDP) probe traffic on loopback interfaces, allowing local attackers to intercept the x-OpenClaw-relay-token header and reuse it for unauthorized Gateway access. An attacker with local network access or control of a loopback port can capture reachability probes to the /json/version endpoint and escalate privileges by replaying the stolen token as bearer authentication. A vendor patch is available, and this vulnerability has been documented by VulnCheck with references to the official GitHub security advisory and patch commit.

Technical ContextAI

The vulnerability exists in how OpenClaw (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements Chrome DevTools Protocol (CDP) reachability probes on loopback interfaces. Chrome CDP is a debugging protocol that communicates over localhost by design; however, OpenClaw incorrectly injects the x-OpenClaw-relay-token header—intended for Gateway authentication—into these probes rather than using a separate, probe-specific credential mechanism. This violates the principle of least privilege in credential handling and stems from CWE-306 (Missing Authentication for Critical Function), where sensitive authentication material is transmitted without appropriate protection or context-specific isolation. The root cause is a failure to distinguish between production authentication tokens and diagnostic/probe traffic, resulting in confidential tokens being exposed to any process listening on loopback ports.

RemediationAI

Upgrade OpenClaw to version 2026.2.22 or later immediately; the vendor patch is available and should be applied without delay. If immediate patching is not feasible, implement network-level mitigations by restricting loopback interface access to trusted processes only, disabling CDP probes if not required for monitoring, and monitoring /json/version endpoint access logs for suspicious patterns. Additionally, enforce token rotation policies and revoke any tokens that may have been exposed during the window of vulnerability. Implement host-level network segmentation using firewall rules to prevent unprivileged processes from binding to loopback ports that OpenClaw uses for probes. For development and container environments, use network policies and seccomp/AppArmor profiles to isolate OpenClaw processes from other local services.

More in Chrome

View all
CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2016-5198 HIGH POC
8.8 Jan 19

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac

CVE-2017-5070 HIGH POC
8.8 Oct 27

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a

CVE-2016-1646 HIGH POC
8.8 Mar 29

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2017-5030 HIGH POC
8.8 Apr 24

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2015-5123 CRITICAL
9.8 Jul 14

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13

Share

EUVD-2026-12716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy