CVE-2026-41372

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

28 Apr 2026, 18:43

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828 -~~	() https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery -~~	() https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery - Third Party Advisory
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

28 Apr 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-28 00:16

Updated : 2026-04-28 18:43

NVD link : CVE-2026-41372

Mitre link : CVE-2026-41372

CVE.ORG link : CVE-2026-41372

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-41372", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-28T00:16:26.647", "references": [{"url": "https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state."}], "lastModified": "2026-04-28T18:43:52.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9E93D9F1-C6FA-4AEE-AC8B-27CDEE77637C", "versionEndExcluding": "2026.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}