CVE-2026-32029

MEDIUM

OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing

Title source: cna

Description

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.

References (4)

Core 4

Core References

Third Party Advisory third-party-advisory

GitHub Security Advisory (GHSA-2rgf-hm63-5qph)

https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph

Patch patch

Patch Commit #1

https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1

View Patch ZIP pw:eip

Patch patch

Patch Commit #2

https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing

https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing

Scores

CVSS v3 5.3

EPSS 0.0019

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-345

Status published

Products (4)

npm/openclaw 0 - 2026.2.21npm

OpenClaw/OpenClaw < 2026.2.21

openclaw/openclaw < 2026.2.21

OpenClaw/OpenClaw 2026.2.21

Published Mar 19, 2026

Tracked Since Mar 20, 2026