CVE-2026-41372

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose...

CVE-2026-41372

Technical details such as affected products, versions, root cause, and remediation are not publicly available in the provided documents. Monitor for updates from NVD, CVE lists, and vendor advisories.

CVE-2026-41372 OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose...

Improper Input Validation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Input Validation via the CDP discovery process. An attacker can redirect authenticated browser control to a localhost-resolving endpoint by crafting a discovery response with a...