CVE-2026-53859

Summary

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.5.26affected
OpenClawOpenClaw2026.5.26unaffected

Weaknesses

  • CWE-1023: Incomplete Comparison with Missing Factors
  • CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References