CVE-2026-41372
Hostname Normalization Bypass in OpenClaw Enables Loopback Protection Bypass
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41372 allows attackers to bypass loopback protections and potentially expose browser state by redirecting authenticated browser control sessions to localhost endpoints. This exposure of browser state could lead to unauthorized access to sensitive information.
Such unauthorized exposure of sensitive data may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-41372 is a vulnerability in OpenClaw versions before 2026.4.2 where the software fails to properly normalize hostnames with a trailing dot appended to "localhost" in remote Chrome DevTools Protocol (CDP) discovery responses.
This improper normalization allows attackers to craft malicious discovery responses that include "localhost." as a target, bypassing loopback protections designed to restrict access to local endpoints.
By exploiting this, an attacker can redirect authenticated browser control sessions toward localhost endpoints, potentially exposing sensitive browser state and data that should be protected.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass loopback protections and redirect authenticated browser control sessions to localhost endpoints.
As a result, sensitive browser state and data that are normally protected by loopback restrictions could be exposed to unauthorized parties.
The attack requires no privileges or user interaction and can be performed remotely over the network, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the failure to normalize trailing-dot localhost hostnames in remote Chrome DevTools Protocol (CDP) discovery responses, which can be detected by monitoring CDP discovery traffic for hostnames that include a trailing dot appended to "localhost" (e.g., "localhost.").
To detect this on your network or system, you can inspect network traffic or logs related to CDP discovery responses and look for any occurrences of hostnames with trailing dots on localhost.
Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter for CDP-related traffic and grep or similar tools to search for "localhost." in the captured data.
- tcpdump -i <interface> -A port <CDP_port> | grep 'localhost.'
- tshark -i <interface> -Y 'http contains "localhost."'
- grep -r 'localhost.' /var/log/<cdp_related_logs>/
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.2 or later, where the issue with trailing-dot localhost normalization in CDP discovery responses has been fixed.
This update includes proper normalization of trailing-dot localhost hostnames, preventing attackers from bypassing loopback protections.
Until the update can be applied, consider restricting or monitoring remote CDP discovery responses and connections to prevent unauthorized redirection to localhost endpoints.