CVE-2026-53859

Vulnerability

OpenClaw versions before 2026.5.26 contain a hostname validation vulnerability [1][2]. The flaw resides in request paths that accept model- or workspace-derived URLs: the same hostname presented with a trailing dot (e.g., example.com.) is not compared consistently against the operator's blocklist, allowing the URL to bypass the intended policy [1].

Exploitation

An attacker must have access to a request path where model- or workspace-derived URLs are processed [1]. No special privileges beyond the ability to craft such a request are required; the attacker simply appends a trailing dot to a blocked hostname [1][2]. The condition is reachable only when the affected feature is enabled [1].

Impact

Successful exploitation allows an attacker to reach a destination that the operator intended to block through their hostname policy [1][2]. The practical impact depends on the operator's configuration—if the bypassed hostname is internal or sensitive, this could lead to information disclosure or server-side request forgery (SSRF) [2]. The overall impact is constrained by OpenClaw's trusted-operator model, but when lower-trust input reaches the affected path, the bypass can be leveraged [1].

Mitigation

The first stable patched version is 2026.5.26 [1][2]. For unpatched instances, operators should keep private-network and metadata destinations blocked at the proxy or network layer, keep channel and tool allowlists narrow, avoid sharing a Gateway between mutually untrusted users, and disable the affected feature when it is not needed [1].