Description
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OpenClaw before version 2026.5.26 permits an attacker to bypass hostname validation by appending a trailing dot to a model or workspace‑derived URL. This inconsistency enables attackers to reach destinations that operators have blocked through hostname policies, effectively allowing unauthorized network contact and potentially data exfiltration. The weakness involves improper input validation and hostname comparison logic, reflected in CWE‑1023 and CWE‑918.

Affected Systems

OpenClaw software by OpenClaw is affected. The issue occurs in all releases prior to 2026.5.26. System administrators working with versions earlier than 2026.5.26 should verify the current deployment and determine whether the product is exposed to the Internet or to untrusted inputs.

Risk and Exploitability

The CVSS score of 6 indicates a moderate impact, while the EPSS score of less than 1% shows a very low probability of exploitation at this time. The advisory does not list the vulnerability in the CISA KEV catalog, suggesting it has not yet been observed in wild attacks. The likely attack vector is remote via crafted URLs used in model or workspace configurations, and the vulnerability requires that attackers can inject or configure these URLs. No additional privileges are required beyond the ability to supply a model or workspace URL to the target system.

Generated by OpenCVE AI on June 17, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.26 or later, which contains the hostname validation fix.
  • Remove any trailing dots from URLs in model or workspace configurations to enforce strict hostname validation.
  • Implement outbound traffic filtering or firewall rules to block access to hosts that are not explicitly whitelisted.

Generated by OpenCVE AI on June 17, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gxg4-2rrr-jhc7 OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
History

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
Title OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-1023
CWE-918
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T18:38:58.295Z

Reserved: 2026-06-10T21:22:34.480Z

Link: CVE-2026-53859

cve-icon Vulnrichment

Updated: 2026-06-16T18:38:53.492Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:03.440

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses
  • CWE-1023

    Incomplete Comparison with Missing Factors

  • CWE-918

    Server-Side Request Forgery (SSRF)