VDB
KO
MEDIUM

GHSA-qmwg-qprg-3j38

OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads

Details

## Summary

Browser interaction routes could pivot into local CDP and regain file reads.

## Affected Packages / Versions

- Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9`

## Impact

Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards.

## Technical Details

The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy.

## Fix

The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.

## Fix Commit(s)

- `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226

## Release Process Note

Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.

## Credits

Thanks to @tdjackey for reporting this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.4.9
Fix npm install openclaw@2026.4.9

References