CVE-2026-53839: OpenClaw hostname prefix bypass

CISO Take

OpenClaw's retry endpoint logic performs prefix matching on hostnames instead of exact matching, meaning an attacker can register a domain that shares a prefix with a trusted host (e.g., 'openai-api-evil.com' passing a check for 'openai-api') and have authentication headers—API keys, bearer tokens, service credentials—silently forwarded to their infrastructure during a retry attempt. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) signals that exploitation is network-reachable, requires no user interaction, and needs only low-privilege access, making this a realistic credential theft path in any agentic pipeline where OpenClaw calls authenticated backends. No public exploit exists and it is absent from CISA KEV, but the 'ai_agent' category means a successful compromise yields credentials with broad blast radius across the AI stack—LLM API keys, vector database tokens, orchestration service secrets. Upgrade to OpenClaw 2026.5.7 or later; if patching is delayed, enforce strict egress filtering on OpenClaw processes and rotate any API keys the agent has used.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium-High for organizations running OpenClaw in production agentic pipelines that invoke authenticated external services. Attack complexity is low and only low-privileged access is required, making this accessible to any attacker with a foothold in the network segment or influence over retry targets. The high confidentiality impact (C:H) reflects real API keys and service tokens being forwarded out-of-band. Current blast radius is bounded by OpenClaw's adoption (4 tracked downstream dependents, 174 prior CVEs in the package signaling a historically weak security posture), but the credential theft class frequently chains into full environment compromise. No active exploitation evidence at time of analysis.

How does the attack unfold?

Reconnaissance

Attacker identifies trusted hostname prefixes used by OpenClaw retry endpoints by observing agent network traffic, configuration files, or environment variables.

AML.T0084

Infrastructure Setup

Attacker registers a domain sharing a prefix with a known trusted hostname (e.g., 'trustedapi.attacker.com') to pass OpenClaw's flawed prefix validation check.

AML.T0008.002

Exploitation

Attacker influences a retry endpoint target (via config injection, SSRF, or environment manipulation), causing OpenClaw to evaluate the malicious hostname as trusted and forward the authenticated request.

AML.T0106

Credential Theft

Authentication material—API keys, bearer tokens, service credentials—included in the retried request are captured by the attacker's server, enabling downstream LLM API abuse, lateral movement, or data exfiltration.

AML.T0083

Reconnaissance

Attacker identifies trusted hostname prefixes used by OpenClaw retry endpoints by observing agent network traffic, configuration files, or environment variables.

AML.T0084

Infrastructure Setup

Attacker registers a domain sharing a prefix with a known trusted hostname (e.g., 'trustedapi.attacker.com') to pass OpenClaw's flawed prefix validation check.

AML.T0008.002

Exploitation

Attacker influences a retry endpoint target (via config injection, SSRF, or environment manipulation), causing OpenClaw to evaluate the malicious hostname as trusted and forward the authenticated request.

AML.T0106

Credential Theft

Authentication material—API keys, bearer tokens, service credentials—included in the retried request are captured by the attacker's server, enabling downstream LLM API abuse, lateral movement, or data exfiltration.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to 2026.5.7+, which enforces exact hostname matching in retry endpoint validation.
Network controls: restrict egress from OpenClaw processes to an explicit IP/hostname allow-list via firewall rules or service mesh policy—this mitigates the flaw even on unpatched versions.
Credential rotation: rotate all API keys and tokens that OpenClaw agents have used as a precautionary measure, prioritizing LLM provider keys and cloud service credentials.
Detection: audit OpenClaw retry logs for destination hostnames not in your approved endpoint list; alert on any retry targeting an unexpected domain.
Architectural hardening: place a forward proxy with strict hostname validation in front of OpenClaw agent egress to enforce allow-listing independently of application logic.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value while managing AI risk

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53839?

OpenClaw's retry endpoint logic performs prefix matching on hostnames instead of exact matching, meaning an attacker can register a domain that shares a prefix with a trusted host (e.g., 'openai-api-evil.com' passing a check for 'openai-api') and have authentication headers—API keys, bearer tokens, service credentials—silently forwarded to their infrastructure during a retry attempt. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) signals that exploitation is network-reachable, requires no user interaction, and needs only low-privilege access, making this a realistic credential theft path in any agentic pipeline where OpenClaw calls authenticated backends. No public exploit exists and it is absent from CISA KEV, but the 'ai_agent' category means a successful compromise yields credentials with broad blast radius across the AI stack—LLM API keys, vector database tokens, orchestration service secrets. Upgrade to OpenClaw 2026.5.7 or later; if patching is delayed, enforce strict egress filtering on OpenClaw processes and rotate any API keys the agent has used.

Is CVE-2026-53839 actively exploited?

No confirmed active exploitation of CVE-2026-53839 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53839?

1. Patch immediately: upgrade OpenClaw to 2026.5.7+, which enforces exact hostname matching in retry endpoint validation. 2. Network controls: restrict egress from OpenClaw processes to an explicit IP/hostname allow-list via firewall rules or service mesh policy—this mitigates the flaw even on unpatched versions. 3. Credential rotation: rotate all API keys and tokens that OpenClaw agents have used as a precautionary measure, prioritizing LLM provider keys and cloud service credentials. 4. Detection: audit OpenClaw retry logs for destination hostnames not in your approved endpoint list; alert on any retry targeting an unexpected domain. 5. Architectural hardening: place a forward proxy with strict hostname validation in front of OpenClaw agent egress to enforce allow-listing independently of application logic.

What systems are affected by CVE-2026-53839?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines with authenticated APIs, LLM orchestration layers.

What is the CVSS score for CVE-2026-53839?

CVE-2026-53839 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelines with authenticated APIsLLM orchestration layers

MITRE ATLAS Techniques

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints.

Exploitation Scenario

An attacker with low-privilege network access identifies that a target OpenClaw agent calls 'api.openai.com' for LLM inference with a bearer token. They register 'api.openai.com.attacker-controlled.com' and find a way to influence the retry endpoint target—via misconfigured environment variable, agent configuration injection, or SSRF in a companion service. When OpenClaw's retry logic evaluates the hostname, it checks the prefix 'api.openai.com' and finds a match, forwarding the Authorization header containing the OpenAI API key to the attacker's server. The attacker captures the key, uses it to exfiltrate conversation context from the LLM provider, and pivots to other services using the same credential.

Weaknesses (CWE)

CWE-1023 Incomplete Comparison with Missing Factors

CWE-1023 — Incomplete Comparison with Missing Factors: The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

Source: MITRE CWE corpus.