CVE-2026-26327
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
Description
## Summary Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: - iOS and macOS: used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. - iOS and Android: allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. ## Distribution / Exposure The iOS and Android apps are currently alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. CVSS can still be used for the technical (base) severity of the bug; limited distribution primarily affects environmental risk. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.13` (latest published on npm as of 2026-02-14) - Patched: planned for `>= 2026.2.14` (not yet published at time of writing) ## Fix - Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. - Discovery-provided fingerprints no longer override stored TLS pins. - iOS/Android: first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU). - iOS/Android: discovery-based direct connects are TLS-only. - Android: hostname verification is no longer globally disabled (only bypassed when pinning). ## Fix Commit(s) - d583782ee322a6faa1fe87ae52455e0d349de586 ## Credits Thanks @simecek for reporting.
How to fix CVE-2026-26327
To remediate CVE-2026-26327, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.14 or later
Is CVE-2026-26327 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.