Improper Certificate Validation in OpenClaw - #VU129401
Published: May 4, 2026
Vulnerability identifier: #VU129401
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to interfere with attachment retrieval.
The vulnerability exists due to improper certificate validation in the remote iMessage attachment SCP handling when fetching remote attachments over SCP on first connection. A remote attacker can perform a machine-in-the-middle or DNS-poisoning attack to interfere with attachment retrieval.
Only remote iMessage deployments that use SCP attachment fetching are affected.
Remediation
Install security update from vendor's website.