Executive Summary

CVE-2026-41372 is a vulnerability in OpenClaw versions before 2026.4.2 where the software fails to properly normalize hostnames with a trailing dot appended to "localhost" in remote Chrome DevTools Protocol (CDP) discovery responses.

This improper normalization allows attackers to craft malicious discovery responses that include "localhost." as a target, bypassing loopback protections designed to restrict access to local endpoints.

By exploiting this, an attacker can redirect authenticated browser control sessions toward localhost endpoints, potentially exposing sensitive browser state and data that should be protected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass loopback protections and redirect authenticated browser control sessions to localhost endpoints.

As a result, sensitive browser state and data that are normally protected by loopback restrictions could be exposed to unauthorized parties.

The attack requires no privileges or user interaction and can be performed remotely over the network, increasing the risk of exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the failure to normalize trailing-dot localhost hostnames in remote Chrome DevTools Protocol (CDP) discovery responses, which can be detected by monitoring CDP discovery traffic for hostnames that include a trailing dot appended to "localhost" (e.g., "localhost.").

To detect this on your network or system, you can inspect network traffic or logs related to CDP discovery responses and look for any occurrences of hostnames with trailing dots on localhost.

Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter for CDP-related traffic and grep or similar tools to search for "localhost." in the captured data.

• tcpdump -i <interface> -A port <CDP_port> | grep 'localhost.'
• tshark -i <interface> -Y 'http contains "localhost."'
• grep -r 'localhost.' /var/log/<cdp_related_logs>/

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.4.2 or later, where the issue with trailing-dot localhost normalization in CDP discovery responses has been fixed.

This update includes proper normalization of trailing-dot localhost hostnames, preventing attackers from bypassing loopback protections.

Until the update can be applied, consider restricting or monitoring remote CDP discovery responses and connections to prevent unauthorized redirection to localhost endpoints.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-41372 allows attackers to bypass loopback protections and potentially expose browser state by redirecting authenticated browser control sessions to localhost endpoints. This exposure of browser state could lead to unauthorized access to sensitive information.

Such unauthorized exposure of sensitive data may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Useful 0 Not Useful 0