Executive Summary

CVE-2026-35659 is a vulnerability in OpenClaw versions prior to 2026.3.22 related to how the software handles service discovery metadata from Bonjour and DNS-SD protocols.

Specifically, OpenClaw improperly uses TXT metadata from these service discovery mechanisms to influence command-line interface (CLI) routing decisions even when the actual service resolution fails.

Attackers can exploit this flaw by injecting malicious, unresolved TXT metadata, which can steer routing decisions to unintended or potentially malicious targets.

The root cause is insufficient verification of data authenticity, allowing unauthenticated TXT records to affect routing and SSH auto-target selection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate the routing decisions of OpenClaw's CLI commands.

By injecting malicious TXT metadata, an attacker can cause the system to route commands or SSH connections to unintended or potentially malicious endpoints.

This can lead to unauthorized access, man-in-the-middle attacks, or other security breaches by redirecting traffic to attacker-controlled targets.

The vulnerability has a moderate severity rating with a CVSS v4 base score of 5.1.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves OpenClaw improperly handling TXT metadata from Bonjour and DNS-SD service discovery, allowing routing decisions based on unresolved or unauthenticated service hints. Detection involves verifying whether OpenClaw is using unresolved TXT-only discovery metadata to influence CLI routing or SSH auto-target selection.

To detect this on your system, you can check the OpenClaw version to see if it is prior to 2026.3.22, which is vulnerable. Additionally, monitoring the CLI discovery, onboarding, and gateway status commands for routing decisions influenced by TXT-only metadata can help identify exploitation attempts.

Specific commands to detect this vulnerability are not explicitly provided in the resources. However, you can use network monitoring tools to capture Bonjour and DNS-SD traffic and inspect TXT records for suspicious or unexpected metadata that could influence routing.

Also, reviewing logs or outputs of OpenClaw CLI commands such as `gateway status` or discovery commands may reveal routing to unintended targets if TXT-only hints are being used.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.22 or later, where this vulnerability has been fixed.

The fix ensures that OpenClaw only uses fully resolved and authenticated service endpoints from Bonjour and DNS-SD discovery, rejecting unauthenticated TXT-only metadata and failing closed when resolution is unavailable.

Until you can upgrade, you should monitor and restrict Bonjour and DNS-SD traffic on your network to prevent attackers from injecting malicious TXT metadata.

Additionally, review and audit CLI routing and SSH auto-target configurations to ensure they are not influenced by unresolved service discovery data.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not explicitly address how CVE-2026-35659 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0