GHSA-f5fm-9jmp-c88r: Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-fh32-73r9-rgh5. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.
References
- github.com/advisories/GHSA-f5fm-9jmp-c88r
- github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828
- github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5
- nvd.nist.gov/vuln/detail/CVE-2026-41372
- www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery
Code Behaviors & Features
Detect and mitigate GHSA-f5fm-9jmp-c88r with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →