PT-2026-33565 · Npm · Openclaw
Publicado
2026-04-07
·
Atualizado
2026-04-07
CVSS v3.1
5.8
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Summary
Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as
localhost. and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost.Impact
A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
9c22d636697336a6b22b0ae24798d8b8325d7828— normalize localhost absolute-form CDP hosts before loopback checks
Release Process Note
The fix is present on
main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.Thanks @smaeljaish771 for reporting.
Correção
IDOR
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw