PT-2026-33565 · Npm · Openclaw
Published
2026-04-07
·
Updated
2026-04-07
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Summary
Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as
localhost. and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost.Impact
A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
9c22d636697336a6b22b0ae24798d8b8325d7828— normalize localhost absolute-form CDP hosts before loopback checks
Release Process Note
The fix is present on
main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.Thanks @smaeljaish771 for reporting.
Fix
IDOR
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw