We use cookies to improve your experience on our site.
AVID-2026-R0231
Description
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning (CVE-2026-26327)
Details
OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as lanHost, tailnetDns, gatewayPort, and gatewayTlsSha256. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (lanHost/tailnetDns) and ports (gatewayPort) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (gatewayTlsSha256) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue _openclaw-gw._tcp service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (auth.token / auth.password) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).
References
- NVD entry
- https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99
- https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- OpenClawCVEs repository
Affected or Relevant Artifacts
- Developer: openclaw
- Deployer: openclaw
- Artifact Details:
| Type | Name |
|---|---|
| System | openclaw |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-345 | CWE-345: Insufficient Verification of Data Authenticity |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2026-02-19
- Version: 0.2
- AVID Entry