Main Vulnerability Database Vulnerabilities #VU125189

Authentication Bypass by Spoofing in OpenClaw - #VU125189

Published: April 8, 2026

Vulnerability identifier: #VU125189

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-290

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication and rate limiting.

The vulnerability exists due to authentication bypass by spoofing in client origin resolution for canvas auth and auth-rate-limit paths when processing forwarding headers with trusted proxies configured. A remote attacker can send spoofed forwarding headers with loopback hops to bypass authentication and rate limiting.

Exploitation requires gateway.trustedProxies to be configured.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4

Authentication Bypass by Spoofing in OpenClaw - #VU125189

Detailed vulnerability description

Remediation

Sources

Please verify you're human