AI Threat Alert

CVE-2026-53859: OpenClaw: SSRF blocklist bypass via trailing-dot

MEDIUM
Published June 16, 2026
CISO Take

CVE-2026-53859 is a Server-Side Request Forgery (SSRF) flaw in OpenClaw, an AI agent framework, where hostname validation logic fails to normalize trailing-dot URL notation before comparing against operator-configured blocklists — meaning a URL like `http://169.254.169.254.` silently bypasses a blocklist entry for `169.254.169.254`. Attack complexity is low and only a low-privilege account is required (CVSS 6.5, AV:N/AC:L/PR:L/UI:N), making this exploitable by any authenticated user in multi-tenant or shared OpenClaw deployments. The confidentiality impact is rated High, consistent with SSRF-driven access to cloud metadata services, internal APIs, or credentials — there is no public exploit and no CISA KEV listing, but the exploitation mechanic is trivial for anyone aware of the trailing-dot DNS normalization quirk. Remediate by upgrading to OpenClaw ≥ 2026.5.26 and enforce network-layer egress controls (security groups, firewall rules) as defense-in-depth, since application-layer blocklists alone are provably bypassable.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity with elevated practical risk in cloud-hosted and enterprise AI agent deployments. The CVSS 6.5 score understates real-world exposure in contexts where OpenClaw agents can reach cloud metadata services (AWS IMDSv1 at 169.254.169.254, GCP metadata, Azure IMDS) or internal service meshes — environments where SSRF translates directly into credential theft and lateral movement. Deployments relying solely on hostname blocklists for network isolation are fully bypassed by this technique. No EPSS data is available and no active exploitation is recorded; however, the trailing-dot bypass is a well-understood DNS normalization quirk that requires zero AI/ML expertise to weaponize.

How does the attack unfold?

Initial Access
Attacker obtains or already holds a low-privilege OpenClaw account on a shared or enterprise deployment.
AML.T0012
Policy Bypass
Attacker crafts a URL with a trailing-dot hostname (e.g., 169.254.169.254.) that evades OpenClaw's blocklist string comparison due to missing normalization.
AML.T0107
SSRF Exploitation
OpenClaw's agent fetch layer issues an HTTP request to the blocked-but-bypassed destination, reaching cloud metadata endpoints or internal services.
AML.T0053
Data Exfiltration
The HTTP response — containing IAM credentials, internal API keys, or sensitive configuration — is returned through the agent's normal interface to the attacker.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. Patch: Upgrade OpenClaw to version 2026.5.26 or later, which normalizes trailing-dot hostname notation prior to blocklist comparison.

  2. Network-layer defense-in-depth: Enforce outbound egress rules at the infrastructure level (security groups, VPC firewall, iptables) to restrict OpenClaw containers from reaching RFC-1918 ranges and 169.254.x.x — do not rely on application-layer blocklists as the sole control.

  3. Disable or harden IMDS: On AWS, enforce IMDSv2 with a hop-limit of 1 and require session-oriented tokens; on GCP/Azure, disable IMDS if not required.

  4. Detection: Alert on DNS queries or HTTP requests containing trailing-dot hostnames from OpenClaw processes; review agent access logs for requests to internal IP ranges or unexpected external domains.

  5. Blocklist audit: Review and re-test existing hostname blocklist policies against trailing-dot, URL-encoded, and IPv6 variants.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0049 AML.T0053 AML.T0086 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system security testing and monitoring
NIST AI RMF
MEASURE 2.6 - AI system security and resilience
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53859?

CVE-2026-53859 is a Server-Side Request Forgery (SSRF) flaw in OpenClaw, an AI agent framework, where hostname validation logic fails to normalize trailing-dot URL notation before comparing against operator-configured blocklists — meaning a URL like `http://169.254.169.254.` silently bypasses a blocklist entry for `169.254.169.254`. Attack complexity is low and only a low-privilege account is required (CVSS 6.5, AV:N/AC:L/PR:L/UI:N), making this exploitable by any authenticated user in multi-tenant or shared OpenClaw deployments. The confidentiality impact is rated High, consistent with SSRF-driven access to cloud metadata services, internal APIs, or credentials — there is no public exploit and no CISA KEV listing, but the exploitation mechanic is trivial for anyone aware of the trailing-dot DNS normalization quirk. Remediate by upgrading to OpenClaw ≥ 2026.5.26 and enforce network-layer egress controls (security groups, firewall rules) as defense-in-depth, since application-layer blocklists alone are provably bypassable.

Is CVE-2026-53859 actively exploited?

No confirmed active exploitation of CVE-2026-53859 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53859?

1. Patch: Upgrade OpenClaw to version 2026.5.26 or later, which normalizes trailing-dot hostname notation prior to blocklist comparison. 2. Network-layer defense-in-depth: Enforce outbound egress rules at the infrastructure level (security groups, VPC firewall, iptables) to restrict OpenClaw containers from reaching RFC-1918 ranges and 169.254.x.x — do not rely on application-layer blocklists as the sole control. 3. Disable or harden IMDS: On AWS, enforce IMDSv2 with a hop-limit of 1 and require session-oriented tokens; on GCP/Azure, disable IMDS if not required. 4. Detection: Alert on DNS queries or HTTP requests containing trailing-dot hostnames from OpenClaw processes; review agent access logs for requests to internal IP ranges or unexpected external domains. 5. Blocklist audit: Review and re-test existing hostname blocklist policies against trailing-dot, URL-encoded, and IPv6 variants.

What systems are affected by CVE-2026-53859?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Agentic pipelines, Multi-agent systems, Model serving with URL fetch capabilities.

What is the CVSS score for CVE-2026-53859?

CVE-2026-53859 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAgentic pipelinesMulti-agent systemsModel serving with URL fetch capabilities

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.3
NIST AI RMF: MEASURE 2.6
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

Exploitation Scenario

An attacker with a low-privilege OpenClaw account — such as a trial user on a shared platform or a compromised internal user — configures a workspace that references `http://169.254.169.254./latest/meta-data/iam/security-credentials/`. When OpenClaw validates the hostname against the operator's blocklist containing `169.254.169.254`, the string comparison returns no match due to the trailing dot, and the fetch proceeds. The IMDS endpoint returns the EC2 instance's IAM role credentials — access key, secret key, and session token. The attacker retrieves these through the normal agent response interface, then uses the stolen credentials outside OpenClaw to enumerate S3 buckets, access stored training data, or escalate privileges within the AWS environment.

Weaknesses (CWE)

CWE-1023 Incomplete Comparison with Missing Factors Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-1023 — Incomplete Comparison with Missing Factors: The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
Back to Threat Feed