CVE-2026-41372

CVSS v3.1

5.8

Medium

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-41372

Affected Products

Openclaw

CVE-2026-41372

Weakness Enumeration

Related Identifiers

Affected Products

References · 4