Description
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges.
Published: 2026-06-12
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.5.18 fails to properly validate identity headers when the trusted‑proxy configuration is enabled, allowing a local attacker with access to the gateway port to forge headers and impersonate the operator. This authentication bypass can give the attacker the privileges of the operator or higher, potentially enabling full administrative control over the system. The weakness constitutes a CWE‑290 issue where trust is incorrectly applied to header values when the source is presumed trusted.

Affected Systems

The affected product is OpenClaw OpenClaw, versions earlier than 2026.5.18. Users running these editions on any platform where the trusted‑proxy header validation is active are susceptible to the forging exploit.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity vulnerability, and although no EPSS score is available, the lack of a KEV listing does not reduce the risk. Attackers must be able to communicate with the proxy‑facing Gateway port on the same host, suggesting a local but privileged context; however, once the forged header is accepted, privilege escalation is immediate. The potential impact is significant because it enables operator impersonation and could lead to further compromise of the application.

Generated by OpenCVE AI on June 12, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch to upgrade OpenClaw to version 2026.5.18 or later
  • Limit network exposure of the proxy‑facing Gateway port to trusted administrators only
  • If upgrading is delayed, disable the trusted‑proxy header validation functionality until a patch is applied
  • Monitor system logs for unexpected identity header changes and enforce strict access controls

Generated by OpenCVE AI on June 12, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges.
Title OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T21:40:00.307Z

Reserved: 2026-06-10T21:16:58.212Z

Link: CVE-2026-53832

cve-icon Vulnrichment

Updated: 2026-06-15T21:39:55.591Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T22:16:54.790

Modified: 2026-06-16T00:37:37.110

Link: CVE-2026-53832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T01:15:17Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing