CVE-2026-53859
Received Received - Intake
Hostname Validation Bypass in OpenClaw

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53859
EUVD
EUVD-2026-37161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-1023 The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53859 is a hostname validation vulnerability in OpenClaw versions before 2026.5.26. It arises because the software inconsistently handles trailing dots in hostnames, allowing attackers to bypass blocklist checks by appending a trailing dot to URLs.

This inconsistency means that URLs which should be blocked by hostname policies can be accessed by attackers using this trailing-dot notation, effectively circumventing intended restrictions.

The vulnerability is related to incomplete comparison and improper input validation issues (CWE-1023, CWE-20) and can lead to server-side request forgery (CWE-918).

Impact Analysis

This vulnerability can allow attackers to bypass hostname blocklists and access destinations that operators intended to block.

If the affected feature is enabled and accessible, attackers can exploit this to reach restricted resources, potentially leading to unauthorized access or data exposure.

The practical impact depends on the operator's configuration and whether untrusted inputs can reach the vulnerable code path.

Mitigations before patching include blocking private-network and metadata destinations at the proxy or network layer, keeping allowlists narrow, avoiding shared Gateways between untrusted users, and disabling the affected feature if not needed.

Detection Guidance

This vulnerability involves inconsistent hostname validation related to trailing dots in URLs, which can bypass blocklist checks. Detection involves monitoring requests to model- or workspace-derived URLs for hostnames that include trailing dots.

You can inspect network traffic or logs for URLs with trailing dots appended to hostnames that should be blocked. For example, using command-line tools like tcpdump or Wireshark to capture HTTP requests and grep or similar tools to filter for trailing dots in hostnames.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
  • Filter captured traffic for trailing dots in hostnames: grep -iE '\bhttps?://[^/]+\.'
  • Check application logs or proxy logs for requests containing hostnames ending with a dot.
Mitigation Strategies

Immediate mitigation steps include blocking private-network and metadata destinations at the proxy or network layer until the affected OpenClaw version is patched.

Additional mitigations involve keeping channel and tool allowlists narrow, avoiding sharing Gateways between untrusted users, and disabling the affected feature if it is not necessary.

Upgrading OpenClaw to version 2026.5.26 or later, where the vulnerability is patched, is the definitive fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart