CVE-2026-26327

Date: February 18, 2026

Summary Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as "lanHost", "tailnetDns", "gatewayPort", and "gatewayTlsSha256". TXT records are unauthenticated. Prior to the fix, some clients treated TXT values as authoritative routing/pinning inputs: - iOS and macOS: used TXT-provided host hints ("lanHost"/"tailnetDns") and ports ("gatewayPort") to build the connection URL. - iOS and Android: allowed the discovery-provided TLS fingerprint ("gatewayTlsSha256") to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue "_openclaw-gw._tcp" service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials ("auth.token" / "auth.password") during connection. Distribution / Exposure The iOS and Android apps are currently alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. CVSS can still be used for the technical (base) severity of the bug; limited distribution primarily affects environmental risk. Affected Packages / Versions - Package: "openclaw" (npm) - Affected: "<= 2026.2.13" (latest published on npm as of 2026-02-14) - Patched: planned for ">= 2026.2.14" (not yet published at time of writing) Fix - Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. - Discovery-provided fingerprints no longer override stored TLS pins. - iOS/Android: first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU). - iOS/Android: discovery-based direct connects are TLS-only. - Android: hostname verification is no longer globally disabled (only bypassed when pinning). Fix Commit(s) - d583782ee322a6faa1fe87ae52455e0d349de586 Credits Thanks @simecek for reporting.