HIGH 7.7 npm
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
GHSA-f7fh-qg34-x2xh · CVE-2026-43576
Published · Modified
Description
Summary
CDP /json/version WebSocket URL could pivot to untrusted second-hop targets.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.5 - Patched versions:
>= 2026.4.5
Impact
A browser profile could trust a CDP /json/version response whose webSocketDebuggerUrl pointed at a different host, enabling a second-hop SSRF-style pivot.
Technical Details
The fix normalizes and re-validates direct CDP WebSocket targets before connecting.
Fix
The issue was fixed in #60469. The first stable tag containing the fix is v2026.4.5, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
bc356cc8c2beaa747c71dd86cceab8f804699665- PR: #60469
Release Process Note
Users should upgrade to openclaw 2026.4.5 or newer. The latest npm release, 2026.4.14, already includes the fix.
Credits
Thanks to @tdjackey for reporting this issue.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-43576
- WEB https://github.com/openclaw/openclaw/pull/60469
- WEB https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url
Ready to move
Start Securing
Free, no credit card | First findings in minutes