CVE-2026-26327: OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
(updated )
Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated.
Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs:
- iOS and macOS: used TXT-provided host hints (
lanHost/tailnetDns) and ports (gatewayPort) to build the connection URL. - iOS and Android: allowed the discovery-provided TLS fingerprint (
gatewayTlsSha256) to override a previously stored TLS pin.
On a shared/untrusted LAN, an attacker could advertise a rogue _openclaw-gw._tcp service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (auth.token / auth.password) during connection.
References
- github.com/advisories/GHSA-pv58-549p-qh99
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99
- nvd.nist.gov/vuln/detail/CVE-2026-26327
Code Behaviors & Features
Detect and mitigate CVE-2026-26327 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →