OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing…
VulnCheck·CWE-345·Published 2026-03-26
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.
## Summary Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `deecf68b59a9b7eea978e40fd3c2fe543087b569` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - src/infra/bonjour-discovery.ts now resolves and returns only concrete endpoints instead of falling back to unresolved TXT host and port hints. - src/cli/gateway-cli/discover.ts consumes only the fail-closed resolved endpoint path. OpenClaw thanks @nexrin for reporting.
## Summary Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `deecf68b59a9b7eea978e40fd3c2fe543087b569` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - src/infra/bonjour-discovery.ts now resolves and returns only concrete endpoints instead of falling back to unresolved TXT host and port hints. - src/cli/gateway-cli/discover.ts consumes only the fail-closed resolved endpoint path. OpenClaw thanks @nexrin for reporting.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 6.3 | 2.1 | 4.2 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |
| 3.1 | Primary | cve.org | 4.6 | — | — | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| 3.1 | Secondary | GHSA | 4.6 | — | — | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| 3.1 | Secondary | NVD | 4.6 | 2.1 | 2.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| 4.0 | Primary | cve.org | 5.1 | — | — | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | GHSA | 5.1 | — | — | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 5.1 | — | — | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |