AI Threat Alert

GHSA-525j-hqq2-66r4: openclaw: CDP relay exposes browser DevTools on 0.0.0.0

GHSA-525j-hqq2-66r4 HIGH
Published April 17, 2026
CISO Take

openclaw's sandbox browser binds the Chrome DevTools Protocol relay to all network interfaces (0.0.0.0) instead of restricting it to localhost, meaning any attacker with network access to the host can take full, unauthenticated control of the agent's browser sessions. For AI agent deployments running openclaw in cloud or shared environments, this is a high-impact lateral movement vector — CDP access grants the ability to read cookies, inject JavaScript, intercept all requests, and manipulate anything the agent has authenticated access to. No public exploit or CISA KEV listing exists and the package has only 4 tracked downstream dependents, but openclaw's history of 135 CVEs in the same package signals persistent security hygiene issues that warrant elevated scrutiny of any deployment. Upgrade to openclaw 2026.4.10 or newer immediately; if patching is blocked, restrict the CDP port to localhost using firewall rules as an emergency workaround.

Sources: GitHub Advisory ATLAS

What is the risk?

HIGH risk for cloud-hosted or network-exposed AI agent deployments. The vulnerability requires zero authentication — network reachability to the CDP port is sufficient for full browser control. CWE-1327 (Binding to Unrestricted IP) combined with CWE-284 (Improper Access Control) in an AI agent context creates a high-impact exposure surface, particularly for agents performing authenticated browsing of sensitive internal or cloud resources. Risk is partially mitigated by absence of a public exploit, KEV listing, or EPSS score, and the small downstream blast radius of 4 dependents. However, risk escalates significantly in multi-tenant, cloud-native, or container-orchestrated environments where agent hosts are network-reachable.

How does the attack unfold?

Reconnaissance
Attacker scans for exposed CDP WebSocket ports (default 9222) on cloud hosts running openclaw agents using Shodan, Censys, or targeted nmap scans.
AML.T0006
Initial Access
Attacker connects to the unauthenticated CDP WebSocket endpoint (ws://target:9222/json) exposed due to 0.0.0.0 binding — no credentials or prior access required.
AML.T0049
Credential Harvesting
Through CDP, attacker extracts browser cookies, session tokens, and intercepts live network requests from the AI agent's authenticated sessions against internal and cloud systems.
AML.T0083
Impact
Attacker replays harvested credentials to access systems the AI agent was authenticated to, and optionally injects persistent JavaScript to monitor or manipulate future agent browsing activity for ongoing intelligence collection.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.10 2026.4.10
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps

  1. PATCH

    Upgrade openclaw to 2026.4.10 or newer (2026.4.14 is the latest confirmed fixed release).

  2. NETWORK

    As an immediate workaround, restrict CDP port (default 9222) to localhost-only via iptables/nftables rules or cloud security group policies blocking external access.

  3. DETECT

    Audit all agent hosts for externally reachable WebSocket endpoints on port

  4. Query network flow logs for unexpected external connections to CDP ports.

  5. AUDIT

    Review browser debug logs on affected hosts for prior unauthorized CDP connections — external WebSocket connects to /json endpoint are a reliable indicator.

  6. ISOLATE

    Deploy openclaw in network-isolated containers with no external port exposure and enforce egress-only network policies for agent sandboxes.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0049 AML.T0053 AML.T0083 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.8.2 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-525j-hqq2-66r4?

openclaw's sandbox browser binds the Chrome DevTools Protocol relay to all network interfaces (0.0.0.0) instead of restricting it to localhost, meaning any attacker with network access to the host can take full, unauthenticated control of the agent's browser sessions. For AI agent deployments running openclaw in cloud or shared environments, this is a high-impact lateral movement vector — CDP access grants the ability to read cookies, inject JavaScript, intercept all requests, and manipulate anything the agent has authenticated access to. No public exploit or CISA KEV listing exists and the package has only 4 tracked downstream dependents, but openclaw's history of 135 CVEs in the same package signals persistent security hygiene issues that warrant elevated scrutiny of any deployment. Upgrade to openclaw 2026.4.10 or newer immediately; if patching is blocked, restrict the CDP port to localhost using firewall rules as an emergency workaround.

Is GHSA-525j-hqq2-66r4 actively exploited?

No confirmed active exploitation of GHSA-525j-hqq2-66r4 has been reported, but organizations should still patch proactively.

How to fix GHSA-525j-hqq2-66r4?

1. PATCH: Upgrade openclaw to 2026.4.10 or newer (2026.4.14 is the latest confirmed fixed release). 2. NETWORK: As an immediate workaround, restrict CDP port (default 9222) to localhost-only via iptables/nftables rules or cloud security group policies blocking external access. 3. DETECT: Audit all agent hosts for externally reachable WebSocket endpoints on port 9222. Query network flow logs for unexpected external connections to CDP ports. 4. AUDIT: Review browser debug logs on affected hosts for prior unauthorized CDP connections — external WebSocket connects to /json endpoint are a reliable indicator. 5. ISOLATE: Deploy openclaw in network-isolated containers with no external port exposure and enforce egress-only network policies for agent sandboxes.

What systems are affected by GHSA-525j-hqq2-66r4?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation pipelines, AI-powered web scraping, agentic AI systems.

What is the CVSS score for GHSA-525j-hqq2-66r4?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksbrowser automation pipelinesAI-powered web scrapingagentic AI systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.8.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker performing reconnaissance on a company's AI agent infrastructure uses Shodan or a targeted nmap scan and discovers port 9222 reachable on a cloud VM running openclaw. The agent is part of an automated workflow that browses internal portals and SaaS dashboards — authenticated via corporate SSO cookies stored in the browser session. The attacker connects directly to ws://target-ip:9222/json with no credentials, enumerates open browser tabs, and attaches to the active session. They use CDP's Network.getAllCookies command to extract all session cookies, then replay them to access the corporate SSO, cloud console, and internal tooling the agent was authenticated to. Simultaneously, they inject a persistent JavaScript payload to silently log future agent browsing activity, establishing ongoing visibility into the organization's automated workflows.

Weaknesses (CWE)

CWE-1327 Binding to an Unrestricted IP Address Primary CWE-284 Improper Access Control Primary

CWE-1327 — Binding to an Unrestricted IP Address: The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

  • [System Configuration] Assign IP addresses that are not 0.0.0.0.
  • [System Configuration] Unwanted connections to the configured server may be denied through a firewall or other packet filtering measures.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed