Description
OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass with rate‑limiter evasion
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.22 contain an authentication bypass vulnerability in the processing of the X‑Forwarded‑For header when the trustedProxies setting is enabled. An attacker can forge loopback addresses in this header to impersonate a local client. Through this flaw, the application’s canvas authentication and rate‑limiting controls can be circumvented, allowing the attacker to gain unauthorized access to protected resources or exhaust service limits. The weakness is categorized as CWE‑290, Broken Authentication.

Affected Systems

Any installation of OpenClaw (OpenClaw:OpenClaw) running a version earlier than 2026.3.22 is affected. These deployments typically run on a Node.js runtime as indicated by the supplied CPE.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity impact. No EPSS data is available, but the lack of listing in CISA’s KEV catalog suggests no publicly known exploit yet. Exploitation requires the ability to send HTTP requests with a crafted X‑Forwarded‑For header, which is generally possible from any remote host. Once the header is accepted, the attacker can bypass authentication and rate limits, potentially enabling further compromise of the system.

Generated by OpenCVE AI on April 10, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.22 or later.
  • If an immediate upgrade is not feasible, temporarily disable the trustedProxies configuration or remove X‑Forwarded‑For header processing.
  • Monitor inbound traffic for anomalous X‑Forwarded‑For header values and review access logs for suspicious activity.

Generated by OpenCVE AI on April 10, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-844j-xrrq-wgh4 OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
History

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.
Title OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T18:23:28.866Z

Reserved: 2026-04-04T12:31:23.534Z

Link: CVE-2026-35656

cve-icon Vulnrichment

Updated: 2026-04-10T18:23:24.889Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:06.733

Modified: 2026-04-13T21:07:56.597

Link: CVE-2026-35656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:48Z

Weaknesses