CVE-2026-41372 PUBLISHED

OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery

Assigner: VulnCheck
Reserved: 20.04.2026 Published: 27.04.2026 Updated: 27.04.2026

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 0 to 2026.4.2 (excl.)
  • Version 2026.4.2 is unaffected

Credits

  • smaeljaish771 reporter
  • KeenSecurityLab finder

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE