GHSA-fh32-73r9-rgh5: OpenClaw: CDP host bypass exposes localhost browser state

Published April 7, 2026

CISO Take

OpenClaw's browser automation agent failed to normalize trailing-dot hostnames (e.g., `localhost.`) during remote Chrome DevTools Protocol discovery, allowing a hostile network response to redirect authenticated browser control sessions toward localhost-bound services on the victim host — effectively nullifying the package's own loopback protection. This exposes browser state held by the AI agent, including session cookies, OAuth tokens, and any sensitive data processed during automation tasks. No public exploit exists and the flaw is absent from CISA KEV, but this package carries 37 prior CVEs and a separate documented incident (AIID #1368) involving credential theft via the same OpenClaw ecosystem, signaling persistent security debt. Organizations running OpenClaw for browser-based AI agent workflows should upgrade to version 2026.4.2 immediately; if patching is blocked, isolate CDP discovery traffic to trusted network segments.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium practical risk, elevated by context. The exploit requires network-level ability to intercept or spoof CDP discovery responses — not trivially internet-accessible, but realistic in shared cloud environments, compromised CI/CD networks, or adversary-in-the-middle scenarios. The absence of CVSS scoring limits precise quantification, but bypassing an explicit security control (loopback enforcement) in an AI agent handling authenticated browser sessions pushes exploitability impact above the raw label. The 37-CVE package history and a live credential-theft incident in the same ecosystem indicate a pattern of insufficient security investment in this tool.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw to >= 2026.4.2 — the fix normalizes absolute-form CDP hostnames (stripping trailing dots) before loopback evaluation.
If immediate upgrade is blocked, restrict CDP discovery to firewall-enforced trusted network segments; deny inbound CDP discovery responses from untrusted sources.
Audit all OpenClaw deployments for exposure of CDP discovery endpoints to shared or untrusted networks.
Review browser sessions managed by OpenClaw agents for over-privileged credential storage that could be exfiltrated on exploitation.
Monitor process-level localhost connection attempts from browser automation processes as a detection signal for active exploitation attempts.

Classification

Auth Bypass Data Extraction Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0098 - AI Agent Tool Credential Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI system risk management

NIST AI RMF

GOVERN-1.2 - Organizational risk policies for AI

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious OpenClaw skills in the same package ecosystem. This CVE's localhost browser state exposure enables the same credential theft failure mode — untrusted content compromising OpenClaw's execution context to harvest authenticated session data.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as `localhost.` and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost. ## Impact A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `9c22d636697336a6b22b0ae24798d8b8325d7828` — normalize localhost absolute-form CDP hosts before loopback checks ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @smaeljaish771 for reporting.

Exploitation Scenario

An attacker with network position (e.g., via ARP spoofing on a shared cloud LAN, a compromised upstream router, or a rogue service in the same Kubernetes namespace) intercepts OpenClaw's outbound CDP discovery request. The attacker replies with a crafted CDP profile specifying host `localhost.` (trailing dot). Because OpenClaw <= 2026.4.1 does not strip the trailing dot before its loopback check, the host passes validation as a non-loopback remote address. OpenClaw then establishes an authenticated CDP connection that resolves to localhost on its own host. The attacker now controls the agent's browser automation channel, reads session state including OAuth tokens and cookies, and can redirect the agent's subsequent actions — all within what the agent believes is its legitimate browser control context.