CVE-2026-41393
DNS Authority Spoofing in OpenClaw Enables Credential Exfiltration
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41393 is a vulnerability in the OpenClaw package affecting versions before 2026.3.31, specifically in the macOS Wide-Area Discovery component. It allows an attacker who is positioned within the same Tailnet and has access to a certificate authority (CA)-trusted endpoint to manipulate the DNS discovery process. This manipulation lets the attacker be accepted as a DNS authority, enabling them to exfiltrate operator credentials through DNS steering.
The vulnerability arises because the Wide-Area Discovery feature previously probed multiple tailnet IP addresses concurrently to find a responsive nameserver, allowing the fastest responder to become the DNS authority. This approach allowed malicious peers to hijack the discovery process. The issue was fixed by switching to a fixed MagicDNS resolver IP address, preventing arbitrary peers from becoming DNS authorities.
Exploitation requires several conditions: the attacker must be on the same Tailnet, have a CA-trusted endpoint, and user interaction is needed to trigger the vulnerability. Due to these constraints, the severity is rated medium.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker within your Tailnet to impersonate a DNS authority. This impersonation can lead to the exfiltration of operator credentials, potentially compromising your system's security.
Since the attacker can manipulate DNS steering, they might redirect or intercept sensitive information, which could lead to unauthorized access or further attacks within your network.
However, exploitation requires the attacker to be on the same Tailnet, have a CA-trusted endpoint, and user interaction, which limits the risk and scope of impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves the Wide-Area Discovery component accepting arbitrary tailnet peers as DNS authorities, which can be detected by monitoring DNS queries and responses within the tailnet environment.
Detection can focus on identifying unusual DNS authority responses or DNS steering manipulations originating from tailnet peers that are not the fixed MagicDNS resolver IP address (100.100.100.100).
Since the vulnerability requires attacker presence within the same tailnet and CA-trusted endpoint access, commands to inspect DNS queries and verify the DNS authority IP can help detect exploitation attempts.
- Use network packet capture tools like tcpdump or Wireshark to monitor DNS traffic on port 53 within the tailnet.
- Example tcpdump command to capture DNS traffic: tcpdump -i <interface> port 53
- Check DNS resolver IP addresses in use; ensure queries are directed only to the fixed MagicDNS resolver IP 100.100.100.100.
- Use dig or nslookup to query the PTR records for the service _openclaw-gw._tcp.<domain> against the MagicDNS resolver and verify responses.
- Example dig command: dig @100.100.100.100 PTR _openclaw-gw._tcp.<domain>
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.31 or later, where the vulnerability has been fixed.
This update changes the Wide-Area Discovery mechanism to use a fixed MagicDNS resolver IP (100.100.100.100) instead of probing arbitrary tailnet peers, preventing malicious peers from becoming DNS authorities.
Until the update is applied, restrict network access to trusted tailnet peers and monitor DNS traffic for suspicious activity.
Additionally, educate users about the requirement for user interaction in triggering the vulnerability and encourage caution when interacting with unknown or untrusted tailnet peers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-41393 on compliance with common standards and regulations such as GDPR or HIPAA.