Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.9.
DescriptionCVE.org
OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.
AnalysisAI
Arbitrary file read in OpenClaw before 2026.4.9 allows authenticated remote attackers to bypass navigation guards and access local files via browser interaction routes. Attackers exploit the ability to trigger navigation into the local Chrome DevTools Protocol (CDP) origin through act/evaluate commands, then create or read disallowed file:// URLs despite direct navigation policy restrictions. Patch available in version 2026.4.9 and confirmed included in npm release 2026.4.14. No public exploit code identified at time of analysis, CVSS 7.1 (High) with network attack vector and low complexity.
Technical ContextAI
OpenClaw is a browser automation framework utilizing the Chrome DevTools Protocol (CDP) for programmatic control. The vulnerability stems from CWE-862 (Missing Authorization) in the navigation guard implementation. When browser interaction primitives (click, evaluate, batched actions) trigger main-frame navigations, the original implementation failed to re-validate destination URLs against configured SSRF quarantine policies. This allowed attackers to pivot from permitted origins into the local CDP control plane (typically http://127.0.0.1:9222) and subsequently navigate to file:// scheme URLs. The CDP origin provides elevated local access capabilities that should be protected by the navigation policy but were bypassed through the interaction-driven navigation path. The fix implements post-interaction URL validation by registering framenavigated event listeners that invoke assertPageNavigationCompletedSafely after browser interactions complete, ensuring all navigation paths enforce the same security policy.
RemediationAI
Upgrade OpenClaw to version 2026.4.9 or later. The npm package openclaw@2026.4.14 contains the verified fix. Patch delivered via GitHub commit 5f5b3d733bdd791cb457f838514179e1288b10b3 and pull request #63226, which implements post-navigation URL validation in browser interaction routes. Organizations unable to upgrade immediately should implement compensating controls: restrict OpenClaw API access to highly trusted users only, apply network segmentation to prevent CDP endpoint access from OpenClaw processes (block outbound connections to 127.0.0.1:9222 and similar CDP ports), and enable comprehensive audit logging of all browser.click, browser.evaluate, and batch interaction commands to detect potential abuse attempts. Note that blocking CDP access may break legitimate automation workflows that require devtools interaction. Review authentication mechanisms for OpenClaw instances and ensure multi-factor authentication where feasible. Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38, Fix PR: https://github.com/openclaw/openclaw/pull/63226.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28166