Description
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints.
Published: 2026-06-12
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions earlier than 2026.5.7 contain a hostname validation flaw in the retry endpoint. The validation logic accepts a hostname that shares a prefix with a trusted host, instead of requiring an exact match. An attacker can craft a hostname with a matching prefix and cause the application to send authentication or session data to an untrusted endpoint. The flaw is a classic example of improper input validation (CWE-1023). As a result, credential information may be exposed to an attacker under the guise of a legitimate service.

Affected Systems

The vulnerability affects the OpenClaw OpenClaw product implemented in a node.js environment. All releases before 2026.5.7 are impacted; the bug is reflected in the CPE entry for OpenClaw.

Risk and Exploitability

The CVSS score of 6 denotes moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers do not need privileged access; by submitting a crafted request that uses a hostname prefix resembling a trusted host, they can trigger the retry logic and cause authentication material to be transmitted to an attacker-controlled host. If successful, credential theft is possible without further interaction.

Generated by OpenCVE AI on June 13, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.7 or later, which contains the fixed hostname validation logic.
  • If an upgrade cannot be performed immediately, modify or patch the retry endpoint configuration to enforce exact hostname matching and reject prefix matches.
  • Deploy outbound traffic filtering or monitor authentication logs to detect and block any attempts to send credential data to unexpected or untrusted hosts.

Generated by OpenCVE AI on June 13, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints.
Title OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-1023
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T18:16:13.464Z

Reserved: 2026-06-10T21:19:32.651Z

Link: CVE-2026-53839

cve-icon Vulnrichment

Updated: 2026-06-15T18:16:00.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T22:16:55.863

Modified: 2026-06-16T02:54:28.110

Link: CVE-2026-53839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T00:15:20Z

Weaknesses
  • CWE-1023

    Incomplete Comparison with Missing Factors