OpenClaw's trusted-endpoint check for retry requests accepted any hostname that merely started with a trusted name, so an attacker-controlled host like 'trusted-gateway.attacker.com' could pass validation as if it were the real 'trusted-gateway.com'. For teams running OpenClaw as an AI agent gateway, that means authentication material tied to trusted integrations could be silently redirected to a rogue endpoint whenever lower-trust input — an installed plugin, a shared channel, or an untrusted co-tenant on the same Gateway — can influence the retry URL. There is no CVSS score, no EPSS data, no public exploit or scanner template, and it is not in CISA KEV, so this reads as a responsibly-disclosed logic flaw rather than something under active attack; still, the package already carries 425 other CVEs, underscoring a pattern of security debt worth tracking even with only 4 tracked downstream dependents. Patch to 2026.5.7 now if the retry-endpoint feature is enabled, and in the meantime pin retry endpoints to exact origins, keep channel/tool allowlists narrow, and avoid sharing one Gateway between mutually untrusted users.
What is the risk?
Exploitability is currently low in practice — no CVSS vector, no EPSS score, no public PoC or Nuclei template, and no CISA KEV listing — so this is not a vulnerability under known active exploitation. However, the impact ceiling is meaningful: successful exploitation results in authentication material being sent to an attacker-chosen host, which is a direct credential-theft primitive rather than a denial-of-service or minor info leak. Real-world exposure depends heavily on configuration: the affected retry-endpoint feature must be enabled and reachable, and an attacker needs some channel (plugin, shared Gateway, lower-trust input) capable of steering the retry URL. Given openclaw's track record of 425 prior CVEs and its role as an AI agent framework handling credentials and tool calls, this should be treated as high-priority patching hygiene even without exploitation telemetry.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.5.7 | 2026.5.7 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
Upgrade to openclaw 2026.5.7 or later, where the hostname validation is fixed. Until patched, pin retry endpoints to exact trusted origins (not prefixes) and disable the affected retry feature entirely if it isn't required. Keep channel and tool allowlists narrow, and never share a single Gateway instance between mutually untrusted users or tenants. For detection, audit egress logs from the Gateway/agent process for outbound authenticated requests to hosts outside the documented allowlist, and rotate any credentials that may have transited a misconfigured or attacker-influenced retry path before the patch was applied.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-77q5-rr5v-x43q?
OpenClaw's trusted-endpoint check for retry requests accepted any hostname that merely started with a trusted name, so an attacker-controlled host like 'trusted-gateway.attacker.com' could pass validation as if it were the real 'trusted-gateway.com'. For teams running OpenClaw as an AI agent gateway, that means authentication material tied to trusted integrations could be silently redirected to a rogue endpoint whenever lower-trust input — an installed plugin, a shared channel, or an untrusted co-tenant on the same Gateway — can influence the retry URL. There is no CVSS score, no EPSS data, no public exploit or scanner template, and it is not in CISA KEV, so this reads as a responsibly-disclosed logic flaw rather than something under active attack; still, the package already carries 425 other CVEs, underscoring a pattern of security debt worth tracking even with only 4 tracked downstream dependents. Patch to 2026.5.7 now if the retry-endpoint feature is enabled, and in the meantime pin retry endpoints to exact origins, keep channel/tool allowlists narrow, and avoid sharing one Gateway between mutually untrusted users.
Is GHSA-77q5-rr5v-x43q actively exploited?
No confirmed active exploitation of GHSA-77q5-rr5v-x43q has been reported, but organizations should still patch proactively.
How to fix GHSA-77q5-rr5v-x43q?
Upgrade to openclaw 2026.5.7 or later, where the hostname validation is fixed. Until patched, pin retry endpoints to exact trusted origins (not prefixes) and disable the affected retry feature entirely if it isn't required. Keep channel and tool allowlists narrow, and never share a single Gateway instance between mutually untrusted users or tenants. For detection, audit egress logs from the Gateway/agent process for outbound authenticated requests to hosts outside the documented allowlist, and rotate any credentials that may have transited a misconfigured or attacker-influenced retry path before the patch was applied.
What systems are affected by GHSA-77q5-rr5v-x43q?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway / orchestration, plugin/tool integration layers.
What is the CVSS score for GHSA-77q5-rr5v-x43q?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0025 Exfiltration via Cyber Means AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could send authentication material to an endpoint outside the intended trust target. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.7`. ### Mitigations pin retry endpoints to exact trusted origins until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
An attacker with access to a lower-trust input surface — for example, an installed third-party OpenClaw skill/plugin, or a message channel in a multi-tenant Gateway shared with an untrusted user — supplies a retry endpoint URL whose hostname shares a prefix with a trusted host, such as 'trusted-gateway.attacker-domain.com' instead of the legitimate 'trusted-gateway.com'. Because the validation logic only checks for a matching prefix rather than an exact origin, OpenClaw treats the attacker's host as trusted and forwards the retry request there, including authentication headers or tokens intended for the real endpoint. The attacker captures this authentication material and reuses it to access the legitimate service or pivot further into connected integrations.
Weaknesses (CWE)
CWE-1023 Incomplete Comparison with Missing Factors
Primary
CWE-20 Improper Input Validation
Primary
CWE-345 Insufficient Verification of Data Authenticity
Primary
CWE-1023 — Incomplete Comparison with Missing Factors: The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw