OpenClaw Loopback Protection Bypass Vulnerability via Trailing-Dot Localhost in CDP Discovery
Vulnerability
A loopback protection bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.2. The issue arises because the application fails to properly normalize trailing-dot localhost hosts in remote Chrome DevTools Protocol (CDP) discovery responses. This oversight allows attackers to craft malicious discovery responses that include localhost. to redirect authenticated browser control to localhost endpoints, potentially exposing sensitive browser state.
Impact
Exploitation of this vulnerability could lead to unauthorized access to localhost-resolving endpoints, allowing exposure of browser state backed by localhost.
Reproduction
The vulnerability can be reproduced by sending a remote CDP discovery response that includes a trailing-dot localhost host, such as 'localhost.'. This response will bypass OpenClaw's loopback normalization, allowing a non-loopback remote CDP profile to redirect connections back to localhost.
Remediation
Users can update to OpenClaw version 2026.4.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.