Description
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized access via proxied requests
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in OpenClaw’s handling of proxied remote requests. When allowRemoteViewer is disabled, the software mistakenly treats these requests as loopback traffic, effectively bypassing the access controls implemented in the diffs viewer. This is a CWE-807 vulnerability, involving cross‑reference validation failure. Attackers can exploit this misclassification to read or manipulate diffs that they are not authorized to see, compromising the confidentiality and integrity of repository data.

Affected Systems

OpenClaw software versions prior to 2026.3.31. The vulnerability affects installations that run on a Node.js environment as indicated by the linked CPE entry.

Risk and Exploitability

The vulnerability scores a CVSS of 6.3, indicating moderate severity. No EPSS score is available, so the exploitation likelihood is uncertain. It is not listed in CISA’s KEV catalog, suggesting limited or no known exploitation. The attack requires the attacker to send a proxied request that the system incorrectly classifies as local loopback traffic, so some network access or proxy influence is necessary.

Generated by OpenCVE AI on April 29, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later, which eliminates the misclassification issue.
  • If an upgrade cannot be performed immediately, enforce allowRemoteViewer=false and restrict proxied traffic to trusted IPs using firewall or proxy rules.
  • Monitor logs for abnormal diff viewer access and limit proxy usage to internal networks.

Generated by OpenCVE AI on April 29, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.
Title OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-807
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:10:00.264Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41403

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:43.823

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses