OpenClaw Unauthenticated Discovery TXT Record Vulnerability Allows Rogue Service Routing and TLS Pinning Override

A vulnerability in OpenClaw's discovery process via Bonjour/mDNS and DNS-SD can lead to improper routing and TLS pin management. This issue is present in versions through 2026.2.13. The vulnerability arises because TXT records, which are unauthenticated, are treated as authoritative by some clients. On iOS and macOS, TXT values were used to construct connection URLs, while on iOS and Android, the TXT-provided TLS fingerprint could override stored TLS pins. This flaw could be exploited on a shared or untrusted LAN by advertising a rogue OpenClaw service, causing a client to connect to an attacker-controlled endpoint and potentially exfiltrate Gateway credentials during the process.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Gateway credentials, including the authentication token and password, by allowing an attacker to intercept these details during a connection to a maliciously advertised service.

Reproduction

To reproduce this vulnerability, advertise a rogue '_openclaw-gw._tcp' service on a shared or untrusted LAN. Ensure that the service includes TXT records with host hints, ports, and a TLS fingerprint. A client running on iOS or Android can then be connected to the attacker-controlled endpoint, where the intercepted Gateway credentials can be extracted.

Remediation

Users should upgrade to OpenClaw version 2026.2.14 or later, where this vulnerability has been addressed.