CVE-2026-53859

OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency

CVSS 6 MEDIUMEPSS 0.2%CWE-1023 CWE-918

In short

OpenClaw versions before 2026.5.26 have a flaw in how they check hostnames, allowing attackers to bypass security blocklists by adding a trailing dot to URLs. This means users could be directed to blocked websites that administrators thought they had protected against.

Technical detail

The vulnerability exists in hostname validation logic that fails to normalize trailing-dot notation consistently when comparing against blocklist policies. Attackers can craft model or workspace-derived URLs with trailing dots to bypass hostname blocklist checks (CWE-918, CWE-1023), gaining access to destinations intended to be restricted by operator policies.

Summary generated and translated by AI from the official description.

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7 https://www.vulncheck.com/advisories/openclaw-hostname-validation-bypass-via-trailing-dot-inconsistency