{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exposure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["cdp","devtools","sandbox","exposure","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e package, a sandbox browser CDP relay, contains a vulnerability in versions prior to 2026.4.10. This vulnerability allows the Chrome DevTools Protocol (CDP) to be exposed more broadly than intended, potentially allowing unauthorized access. Specifically, the CDP relay could bind to \u003ccode\u003e0.0.0.0\u003c/code\u003e by default, which exposes the DevTools protocol to all network interfaces instead of restricting it to the local machine or sandbox environment. An attacker could potentially exploit this exposure to interact with and control the browser instance remotely, leading to information disclosure or remote code execution within the sandbox environment. The vulnerability was reported by @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer, and a fix has been implemented in version 2026.4.10 to enforce CDP source-range restriction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a system running a vulnerable version of \u003ccode\u003eopenclaw\u003c/code\u003e (prior to 2026.4.10).\u003c/li\u003e\n\u003cli\u003eThe attacker scans the target system's network interfaces to identify the exposed Chrome DevTools Protocol (CDP) port, typically in the 9222+ range.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the exposed CDP endpoint, bypassing intended access controls due to the broad binding.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CDP to inspect the browser's state, including loaded pages, cookies, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CDP commands to manipulate the browser, such as navigating to arbitrary URLs.\u003c/li\u003e\n\u003cli\u003eIf the sandbox environment is misconfigured, the attacker may attempt to exploit vulnerabilities in the browser or its plugins via the CDP connection.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially achieve remote code execution within the sandbox if suitable vulnerabilities are present.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised sandbox environment to pivot to other internal systems, depending on the sandbox's network configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Chrome DevTools Protocol of a sandboxed browser. This could lead to the leakage of sensitive information displayed in the browser, manipulation of the browser's behavior, and potentially remote code execution within the sandbox environment. The extent of the impact depends on the sensitivity of the data handled by the browser and the configuration of the sandbox itself.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e package to version 2026.4.10 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect OpenClaw CDP Exposure via Network Connection\u0026quot; to identify potentially vulnerable systems by monitoring for network connections to the CDP port range.\u003c/li\u003e\n\u003cli\u003eReview and harden sandbox configurations to minimize the impact of potential CDP exploits.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual CDP traffic originating from or destined for systems running \u003ccode\u003eopenclaw\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-cdp-exposure/","summary":"OpenClaw versions prior to 2026.4.10 are vulnerable to a configuration issue where the sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range, potentially allowing unauthorized access to browser DevTools.","title":"OpenClaw Sandbox Browser CDP Relay Vulnerability Exposing DevTools Protocol","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-cdp-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed - Exposure","version":"https://jsonfeed.org/version/1.1"}