GHSA-77q5-rr5v-x43q: OpenClaw: retry hostname check leaks auth material

GHSA-77q5-rr5v-x43q HIGH
Published July 2, 2026
CISO Take

OpenClaw's trusted-endpoint check for retry requests accepted any hostname that merely started with a trusted name, so an attacker-controlled host like 'trusted-gateway.attacker.com' could pass validation as if it were the real 'trusted-gateway.com'. For teams running OpenClaw as an AI agent gateway, that means authentication material tied to trusted integrations could be silently redirected to a rogue endpoint whenever lower-trust input — an installed plugin, a shared channel, or an untrusted co-tenant on the same Gateway — can influence the retry URL. There is no CVSS score, no EPSS data, no public exploit or scanner template, and it is not in CISA KEV, so this reads as a responsibly-disclosed logic flaw rather than something under active attack; still, the package already carries 425 other CVEs, underscoring a pattern of security debt worth tracking even with only 4 tracked downstream dependents. Patch to 2026.5.7 now if the retry-endpoint feature is enabled, and in the meantime pin retry endpoints to exact origins, keep channel/tool allowlists narrow, and avoid sharing one Gateway between mutually untrusted users.

Sources: GitHub Advisory ATLAS

What is the risk?

Exploitability is currently low in practice — no CVSS vector, no EPSS score, no public PoC or Nuclei template, and no CISA KEV listing — so this is not a vulnerability under known active exploitation. However, the impact ceiling is meaningful: successful exploitation results in authentication material being sent to an attacker-chosen host, which is a direct credential-theft primitive rather than a denial-of-service or minor info leak. Real-world exposure depends heavily on configuration: the affected retry-endpoint feature must be enabled and reachable, and an attacker needs some channel (plugin, shared Gateway, lower-trust input) capable of steering the retry URL. Given openclaw's track record of 425 prior CVEs and its role as an AI agent framework handling credentials and tool calls, this should be treated as high-priority patching hygiene even without exploitation telemetry.

How does the attack unfold?

Trust boundary access
Attacker gains a lower-trust input channel capable of influencing the retry endpoint URL, such as an installed plugin/skill or a shared multi-tenant Gateway.
AML.T0081
Validation bypass
Attacker supplies a hostname that shares a prefix with a trusted host, passing the flawed prefix-based trusted-endpoint check instead of an exact-origin match.
Credential exfiltration
OpenClaw forwards the retry request, including authentication material, to the attacker-controlled endpoint outside the intended trust target.
AML.T0025
Credential reuse
Attacker uses the captured authentication material to access the legitimate trusted service or pivot into connected integrations.
AML.T0012

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.5.7 2026.5.7
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. Upgrade to openclaw 2026.5.7 or later, where the hostname validation is fixed. Until patched, pin retry endpoints to exact trusted origins (not prefixes) and disable the affected retry feature entirely if it isn't required. Keep channel and tool allowlists narrow, and never share a single Gateway instance between mutually untrusted users or tenants. For detection, audit egress logs from the Gateway/agent process for outbound authenticated requests to hosts outside the documented allowlist, and rotate any credentials that may have transited a misconfigured or attacker-influenced retry path before the patch was applied.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

NIST AI RMF
MANAGE-4.1 - Mechanisms are in place to sustain the value of deployed AI systems, including monitoring for security issues
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-77q5-rr5v-x43q?

OpenClaw's trusted-endpoint check for retry requests accepted any hostname that merely started with a trusted name, so an attacker-controlled host like 'trusted-gateway.attacker.com' could pass validation as if it were the real 'trusted-gateway.com'. For teams running OpenClaw as an AI agent gateway, that means authentication material tied to trusted integrations could be silently redirected to a rogue endpoint whenever lower-trust input — an installed plugin, a shared channel, or an untrusted co-tenant on the same Gateway — can influence the retry URL. There is no CVSS score, no EPSS data, no public exploit or scanner template, and it is not in CISA KEV, so this reads as a responsibly-disclosed logic flaw rather than something under active attack; still, the package already carries 425 other CVEs, underscoring a pattern of security debt worth tracking even with only 4 tracked downstream dependents. Patch to 2026.5.7 now if the retry-endpoint feature is enabled, and in the meantime pin retry endpoints to exact origins, keep channel/tool allowlists narrow, and avoid sharing one Gateway between mutually untrusted users.

Is GHSA-77q5-rr5v-x43q actively exploited?

No confirmed active exploitation of GHSA-77q5-rr5v-x43q has been reported, but organizations should still patch proactively.

How to fix GHSA-77q5-rr5v-x43q?

Upgrade to openclaw 2026.5.7 or later, where the hostname validation is fixed. Until patched, pin retry endpoints to exact trusted origins (not prefixes) and disable the affected retry feature entirely if it isn't required. Keep channel and tool allowlists narrow, and never share a single Gateway instance between mutually untrusted users or tenants. For detection, audit egress logs from the Gateway/agent process for outbound authenticated requests to hosts outside the documented allowlist, and rotate any credentials that may have transited a misconfigured or attacker-influenced retry path before the patch was applied.

What systems are affected by GHSA-77q5-rr5v-x43q?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway / orchestration, plugin/tool integration layers.

What is the CVSS score for GHSA-77q5-rr5v-x43q?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI gateway / orchestrationplugin/tool integration layers

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

NIST AI RMF: MANAGE-4.1
OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

### Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could send authentication material to an endpoint outside the intended trust target. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.7`. ### Mitigations pin retry endpoints to exact trusted origins until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

An attacker with access to a lower-trust input surface — for example, an installed third-party OpenClaw skill/plugin, or a message channel in a multi-tenant Gateway shared with an untrusted user — supplies a retry endpoint URL whose hostname shares a prefix with a trusted host, such as 'trusted-gateway.attacker-domain.com' instead of the legitimate 'trusted-gateway.com'. Because the validation logic only checks for a matching prefix rather than an exact origin, OpenClaw treats the attacker's host as trusted and forwards the retry request there, including authentication headers or tokens intended for the real endpoint. The attacker captures this authentication material and reuses it to access the legitimate service or pivot further into connected integrations.

Weaknesses (CWE)

CWE-1023 — Incomplete Comparison with Missing Factors: The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

Source: MITRE CWE corpus.

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities