CVE-2026-35659: OpenClaw DNS-SD metadata hijacks

CISO Take

OpenClaw before 2026.3.22 trusts Bonjour/DNS-SD TXT metadata without verifying whether the advertised service actually resolved, allowing an adjacent-network attacker to steer CLI routing to attacker-controlled endpoints. Practical risk is constrained — exploitation requires local network access and a user to trigger the CLI (CVSS 4.6 Medium), and there is no active exploitation (not in CISA KEV), no public exploit code, and no EPSS data available. The package has only 4 downstream dependents, limiting broad blast radius, but any team running OpenClaw in shared or semi-trusted network environments (corporate LAN, VPN, co-working spaces) should treat this as a real trust-boundary violation in their AI agent stack. Patch to 2026.3.22 immediately; as an interim control, restrict mDNS/DNS-SD propagation on segments where OpenClaw operates and review CLI routing logs for unexpected service endpoints.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium risk overall, trending toward low in most enterprise environments. The adjacent network requirement (AV:A) is a significant exploitation barrier — the attacker must be on the same network segment as the user. User interaction (UI:R) adds a second barrier. Confidentiality and integrity impacts are limited (C:L/I:L) with no availability impact. No active exploitation, no public exploit code, and no Nuclei scanner template further reduce urgency. The primary exposure scenario is shared-network environments such as corporate offices without network segmentation, co-working spaces, or VPN-connected endpoints. AI agent deployments where OpenClaw drives automated CLI workflows are at slightly elevated risk if the agent triggers discovery without active user oversight, removing the UI:R barrier in practice.

How does the attack unfold?

Network Positioning

Attacker gains presence on the same network segment as the OpenClaw user (LAN, corporate Wi-Fi, VPN) and deploys a malicious mDNS/Bonjour responder to broadcast crafted service records.

AML.T0006

Metadata Injection

Malicious DNS-SD TXT records advertising spoofed service endpoints are broadcast; OpenClaw's CLI ingests these records without verifying data authenticity (CWE-345), even when actual service resolution fails.

AML.T0080

Routing Hijack

Unverified TXT hints steer CLI routing decisions toward the attacker-controlled endpoint, bypassing the intended legitimate service path entirely.

AML.T0053

Data Exposure

User CLI requests — potentially including session context, prompts, or sensitive payloads — are sent to the attacker's endpoint, enabling limited exfiltration (C:L) and response manipulation (I:L).

Network Positioning

Attacker gains presence on the same network segment as the OpenClaw user (LAN, corporate Wi-Fi, VPN) and deploys a malicious mDNS/Bonjour responder to broadcast crafted service records.

AML.T0006

Metadata Injection

Malicious DNS-SD TXT records advertising spoofed service endpoints are broadcast; OpenClaw's CLI ingests these records without verifying data authenticity (CWE-345), even when actual service resolution fails.

AML.T0080

Routing Hijack

Unverified TXT hints steer CLI routing decisions toward the attacker-controlled endpoint, bypassing the intended legitimate service path entirely.

AML.T0053

Data Exposure

User CLI requests — potentially including session context, prompts, or sensitive payloads — are sent to the attacker's endpoint, enabling limited exfiltration (C:L) and response manipulation (I:L).

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

4.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Adjacent

AC Low

PR None

UI Required

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to 2026.3.22 or later (patches in commits 630f1479c44f and deecf68b59a9).
Network controls: Restrict mDNS (port 5353/UDP) and DNS-SD propagation on segments hosting OpenClaw via firewall rules or VLAN isolation.
Detection: Monitor OpenClaw routing logs for unexpected service endpoints; alert on DNS-SD TXT records that do not match a pre-approved allowlist of known service identifiers.
Verification: Confirm the patched commits are present in your installed version via package metadata or source inspection before trusting version strings alone.
Interim workaround: If OpenClaw supports static endpoint configuration, hardcode the intended service address and disable automatic Bonjour/DNS-SD discovery to eliminate the vulnerable code path.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0011 - User Execution AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Inputs

NIST AI RMF

MEASURE 2.5 - AI System Robustness and Trustworthiness

OWASP LLM Top 10

LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35659?

OpenClaw before 2026.3.22 trusts Bonjour/DNS-SD TXT metadata without verifying whether the advertised service actually resolved, allowing an adjacent-network attacker to steer CLI routing to attacker-controlled endpoints. Practical risk is constrained — exploitation requires local network access and a user to trigger the CLI (CVSS 4.6 Medium), and there is no active exploitation (not in CISA KEV), no public exploit code, and no EPSS data available. The package has only 4 downstream dependents, limiting broad blast radius, but any team running OpenClaw in shared or semi-trusted network environments (corporate LAN, VPN, co-working spaces) should treat this as a real trust-boundary violation in their AI agent stack. Patch to 2026.3.22 immediately; as an interim control, restrict mDNS/DNS-SD propagation on segments where OpenClaw operates and review CLI routing logs for unexpected service endpoints.

Is CVE-2026-35659 actively exploited?

No confirmed active exploitation of CVE-2026-35659 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35659?

1. Patch: Upgrade OpenClaw to 2026.3.22 or later (patches in commits 630f1479c44f and deecf68b59a9). 2. Network controls: Restrict mDNS (port 5353/UDP) and DNS-SD propagation on segments hosting OpenClaw via firewall rules or VLAN isolation. 3. Detection: Monitor OpenClaw routing logs for unexpected service endpoints; alert on DNS-SD TXT records that do not match a pre-approved allowlist of known service identifiers. 4. Verification: Confirm the patched commits are present in your installed version via package metadata or source inspection before trusting version strings alone. 5. Interim workaround: If OpenClaw supports static endpoint configuration, hardcode the intended service address and disable automatic Bonjour/DNS-SD discovery to eliminate the vulnerable code path.

What systems are affected by CVE-2026-35659?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local network service discovery, CLI-driven automation pipelines.

What is the CVSS score for CVE-2026-35659?

CVE-2026-35659 has a CVSS v3.1 base score of 4.6 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkslocal network service discoveryCLI-driven automation pipelines

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM08:2023

What are the technical details?

Original Advisory

OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.

Exploitation Scenario

An attacker with access to the same Wi-Fi or LAN segment as an OpenClaw user deploys a malicious mDNS responder that broadcasts crafted DNS-SD TXT records advertising a spoofed service endpoint pointing to an attacker-controlled host. When the user — or an automated agent workflow — invokes the OpenClaw CLI, it queries DNS-SD for available services. Even though the adversarial service fails to fully resolve, OpenClaw's unpatched routing logic still consumes the TXT metadata hints and redirects outbound CLI requests toward the attacker's endpoint. The attacker receives the user's requests, potentially including session context, prompts, or data payloads, achieving limited exfiltration (C:L) and the ability to serve manipulated responses back to the client (I:L) — effectively acting as a man-in-the-middle for the agent's service interactions.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.