GHSA-f5fm-9jmp-c88r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f5fm-9jmp-c88r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f5fm-9jmp-c88r/GHSA-f5fm-9jmp-c88r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f5fm-9jmp-c88r
- Downstream
- Withdrawn
- 2026-05-06T19:03:41Z
- Published
- 2026-04-28T00:31:41Z
- Modified
- 2026-05-06T19:22:18.365587Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-fh32-73r9-rgh5. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.
- Database specific
{ "github_reviewed_at": "2026-05-06T19:03:41Z", "nvd_published_at": "2026-04-28T00:16:26Z", "cwe_ids": [ "CWE-639" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5
- https://nvd.nist.gov/vuln/detail/CVE-2026-41372
- https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828
- https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw