Listen to this Post
The vulnerability exists in openclaw’s handling of Chrome DevTools Protocol (CDP) endpoints. When a browser profile connects to a CDP `/json/version` endpoint, the returned JSON includes a `webSocketDebuggerUrl` field. Before the fix, openclaw trusted this URL without sufficient validation. An attacker controlling the first-hop CDP server could supply a `webSocketDebuggerUrl` pointing to an internal or external host of their choice (second-hop target). When openclaw attempted to connect to that WebSocket, it would pivot to the attacker‑specified host, effectively performing a Server‑Side Request Forgery (SSRF) attack across two hops. The attack bypasses typical SSRF protections because the initial CDP connection appears legitimate. The vulnerable code did not normalize or re‑validate the host and port from the `webSocketDebuggerUrl` before establishing the WebSocket connection. This allowed an untrusted URL to redirect the WebSocket connection to any reachable address, including cloud metadata endpoints, internal services, or other restricted network locations. The issue affects versions prior to 2026.4.5. The patch normalizes the URL, resolves it against the original CDP endpoint’s origin, and re‑validates that the target belongs to an allowed set before connecting.
Platform: npm
Version: <2026.4.5
Vulnerability : second-hop SSRF
Severity: medium
date: 2026-04-17
Prediction: 2026-04-20
What Undercode Say:
Check vulnerable version npm list openclaw | grep openclaw Upgrade to patched version npm install [email protected] Verify fix commit git log --oneline | grep bc356cc
Exploit:
Malicious CDP /json/version response
echo '{"webSocketDebuggerUrl":"ws://169.254.169.254/latest/meta-data/"}' | \
curl -X POST http://victim-cdp:9222/json/version -d @-
Protection from this CVE:
Upgrade to openclaw >=2026.4.5. If upgrade impossible, validate `webSocketDebuggerUrl` manually against allowlist before connection.
Impact:
Attackers can pivot from a compromised CDP endpoint to internal hosts, cloud metadata APIs, or other restricted services, leading to data leakage or lateral movement.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

