Plataforma
nodejs
Componente
openclaw
Corrigido em
2026.2.22
CVE-2026-22174 describes a token injection vulnerability discovered in OpenClaw. This flaw allows local processes to intercept the Gateway authentication token by exploiting the injection of the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces. The vulnerability impacts OpenClaw versions prior to 2026.2.22, and a fix is available in version 2026.2.22.
An attacker with access to a loopback port can exploit this vulnerability by intercepting Chrome CDP reachability probes to the /json/version endpoint. By doing so, they can capture the leaked authentication token and reuse it as a Gateway bearer authentication token. This allows the attacker to potentially gain unauthorized access to resources protected by the Gateway, depending on the token's permissions. The impact is limited to local access, as the vulnerability relies on loopback traffic, preventing remote exploitation. However, within a compromised local environment, the attacker's capabilities are significantly expanded.
CVE-2026-22174 was publicly disclosed on 2026-03-18. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is considered low given the local access requirement and lack of public exploits, but should be monitored.
Development environments utilizing OpenClaw are at risk, particularly those with shared development machines or containers where multiple processes have access to the loopback interface. Systems with misconfigured network access controls allowing local processes to freely communicate on the loopback interface are also vulnerable.
• nodejs: Monitor OpenClaw logs for unusual CDP probe traffic on loopback interfaces (127.0.0.1).
• nodejs: Use netstat -an | grep :9229 to identify processes listening on the Chrome DevTools Protocol port (default 9229).
• nodejs: Inspect the x-OpenClaw-relay-token header in CDP probe requests using a network sniffer (e.g., Wireshark) on the loopback interface.
• nodejs: Check for unauthorized processes accessing the OpenClaw instance via the loopback interface.
disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-22174 is to upgrade OpenClaw to version 2026.2.22 or later. If upgrading is not immediately feasible, consider isolating the OpenClaw instance from local processes that could potentially intercept the CDP traffic. This could involve restricting access to the loopback interface or implementing network segmentation. While a WAF is unlikely to be effective in this scenario due to the local nature of the attack, monitoring for unusual CDP traffic on the loopback interface could provide early detection. After upgrading, confirm the fix by verifying that the x-OpenClaw-relay-token header is no longer injected into CDP probe traffic on loopback interfaces.
Atualize o OpenClaw para a versão 2026.2.22 ou posterior. Isso corrige a vulnerabilidade que permite a divulgação do token de autenticação através do tráfego de sonda Chrome CDP.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-22174 is a vulnerability in OpenClaw versions prior to 2026.2.22 that allows local processes to capture the Gateway authentication token via injected headers in Chrome CDP probe traffic.
You are affected if you are using OpenClaw versions 2026.2.22 or earlier and have local processes that could potentially intercept CDP traffic on the loopback interface.
Upgrade OpenClaw to version 2026.2.22 or later. If upgrading is not possible, isolate the OpenClaw instance from local processes.
As of now, there are no known public exploits or confirmed active exploitation campaigns targeting CVE-2026-22174.
Refer to the OpenClaw project's official website or security advisories for the latest information regarding CVE-2026-22174.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.