Description
OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.
Published: 2026-04-28
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: Credential Exfiltration via DNS Authority Acceptance
Action: Patch
AI Analysis

Impact

The vulnerability permits an attacker who shares the same tailnet with a target system to add an arbitrary peer as a DNS authority. Once accepted, the compromised peer can manipulate DNS steering to redirect traffic, thereby enabling the exfiltration of operator credentials. This weakness allows credential theft while the adversary remains within the trusted network boundary, representing a medium risk of sensitive data exposure.

Affected Systems

OpenClaw OpenClaw running on node.js is affected when the version is older than 2026.3.31. Systems using the 2026.3.30 release or earlier are vulnerable. No other products or versions are currently listed as impacted.

Risk and Exploitability

The CVSS base score of 5.9 indicates moderate severity. Because the EPSS score is not available, the historical exploitation likelihood cannot be quantified; however, the vulnerability was noted by the community without reports of active exploitation. The attack requires the attacker to be positioned on the same tailnet and to control a CA‑trusted endpoint, meaning it is an internal threat that relies on privileged network access. The risk is heightened for environments where tailnet peers are broadly allowed to act as DNS authorities. The vulnerability is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 28, 2026 at 23:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later
  • Reconfigure tailnet settings to restrict DNS authority assignments to only pre‑approved peers
  • Ensure all CA‑trusted endpoints are verified and maintain strict access control for DNS steering components

Generated by OpenCVE AI on April 28, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.
Title OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-346
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:50:27.756Z

Reserved: 2026-04-20T14:13:45.349Z

Link: CVE-2026-41393

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:42.590

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses