Description
OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).
Published: 2026-02-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote exfiltration of gateway credentials via malicious mDNS service
Action: Patch Immediately
AI Analysis

Impact

OpenClaw uses unprotected TXT records in Bonjour/mDNS discovery to provide routing hints and TLS fingerprints. Based on the description, it is inferred that an attacker on a shared or untrusted LAN can publish a rogue _openclaw-gw._tcp service that steers the client to an attacker‑controlled endpoint or forces it to accept an attacker’s certificate. This could lead to exfiltration of gateway credentials such as auth.token or auth.password. iOS and macOS clients used the TXT‑provided host hints and ports to build the connection URL, while iOS and Android allowed the discovery‑provided TLS fingerprint to override a previously stored TLS pin.

Affected Systems

The affected product is OpenClaw, developed by the official OpenClaw team, built on Node.js. All releases prior to version 2026.2.14 are vulnerable. The issue manifests in the iOS and Android apps, which were in alpha during the time of disclosure, but any client that relies on mDNS discovery over an untrusted LAN is also impacted. No other vendors or major version ranges are reported as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS value of "< 1%" suggests that while exploitation is possible, the probability of a successful attack at any given time is low; the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need physical or Wi‑Fi access to a shared network to advertise a malicious service record, achievable through local mDNS spoofing. If the target uses an unreleased alpha client, the impact could expose sensitive gateway credentials; otherwise the risk is limited to developers or testers in controlled environments.

Generated by OpenCVE AI on April 18, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.14 or later, which fixes the CWE‑345 vulnerability by rejecting unauthenticated TXT records for routing or pinning and prioritizing resolved SRV and A/AAAA records.
  • If upgrading is not immediately possible, restrict or block Bonjour/mDNS traffic on untrusted LANs, or use network segmentation so that only trusted hosts can advertise _openclaw‑gw._tcp services.
  • Verify that client certificates are validated against server hostnames; for Android, ensure hostname verification is enabled and that first‑time TLS pins trigger a user confirmation prompt rather than silent TOFU. This step mitigates potential routing logic exploits outlined in CWE‑345 by enforcing strict pinning.

Generated by OpenCVE AI on April 18, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pv58-549p-qh99 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
History

Mon, 23 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).
Title OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:39:17.849Z

Reserved: 2026-02-13T16:27:51.809Z

Link: CVE-2026-26327

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:13.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:26.100

Modified: 2026-02-23T13:44:36.753

Link: CVE-2026-26327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses