Description
OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.
Published: 2026-03-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote IP Spoofing
Action: Patch Now
AI Analysis

Impact

OpenClaw versions before 2026.2.21 incorrectly parse the left‑most value of the X‑Forwarded‑For header when requests come from configured trusted proxies. This allows an attacker to inject an arbitrary IP address, effectively spoofing the client’s IP. The spoofed IP can be used to bypass IP‑based access controls, evade authentication rate limiting, and potentially gain unauthorized access to restricted resources. The vulnerability is classified under CWE‑345: Incorrect Validation of IP Address.

Affected Systems

The affected product is OpenClaw, version 2026.2.21 and earlier. No other product versions are explicitly listed as vulnerable. The CNAs data indicates that all releases prior to 2026.2.21 are impacted.

Risk and Exploitability

The CVSS score for this vulnerability is 6.3, indicating moderate severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network by sending HTTP requests with a crafted X‑Forwarded‑For header from an IP that the application trusts. Once the header is parsed, the spoofed address replaces the true client IP in the application's logic, allowing the attacker to subvert authentication checks and other IP‑aware controls.

Generated by OpenCVE AI on March 19, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.21 or later
  • Reconfigure trusted proxies to validate or remove the X-Forwarded-For header before it reaches the application
  • Review and adjust authentication rate‑limiting and IP‑based access control rules to ensure they rely on validated client IPs

Generated by OpenCVE AI on March 19, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2rgf-hm63-5qph OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.
Title OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-345
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:29:13.915Z

Reserved: 2026-03-10T19:48:43.186Z

Link: CVE-2026-32029

cve-icon Vulnrichment

Updated: 2026-03-20T18:05:57.192Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T22:16:38.123

Modified: 2026-03-25T15:16:45.723

Link: CVE-2026-32029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:24Z

Weaknesses