OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Moderate severity
GitHub Reviewed
Published
Mar 24, 2026
in
openclaw/openclaw
•
Updated Apr 10, 2026
Description
Published to the GitHub Advisory Database
Mar 26, 2026
Reviewed
Mar 26, 2026
Published by the National Vulnerability Database
Apr 10, 2026
Last updated
Apr 10, 2026
Summary
When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.
Affected Packages / Versions
openclaw(npm)v2026.3.23-2(630f1479c44f78484dfa21bb407cbe6f171dac87)2026.3.23-2Fix Commit(s)
fc2d29ea926f47c428c556e92ec981441228d2a4Release Status
The fix shipped in
v2026.3.22and remains present inv2026.3.23andv2026.3.23-2.Code-Level Confirmation
OpenClaw thanks @lintsinghua for reporting.
References