Impact
The vulnerability in OpenClaw before version 2026.5.26 permits an attacker to bypass hostname validation by appending a trailing dot to a model or workspace‑derived URL. This inconsistency enables attackers to reach destinations that operators have blocked through hostname policies, effectively allowing unauthorized network contact and potentially data exfiltration. The weakness involves improper input validation and hostname comparison logic, reflected in CWE‑1023 and CWE‑918.
Affected Systems
OpenClaw software by OpenClaw is affected. The issue occurs in all releases prior to 2026.5.26. System administrators working with versions earlier than 2026.5.26 should verify the current deployment and determine whether the product is exposed to the Internet or to untrusted inputs.
Risk and Exploitability
The CVSS score of 6 indicates a moderate impact, while the EPSS score of less than 1% shows a very low probability of exploitation at this time. The advisory does not list the vulnerability in the CISA KEV catalog, suggesting it has not yet been observed in wild attacks. The likely attack vector is remote via crafted URLs used in model or workspace configurations, and the vulnerability requires that attackers can inject or configure these URLs. No additional privileges are required beyond the ability to supply a model or workspace URL to the target system.
OpenCVE Enrichment
Github GHSA