Authentication Bypass by Spoofing in OpenClaw - CVE-2026-32045
Published: May 1, 2026
Vulnerability identifier: #VU128831
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32045
CWE-ID: CWE-290
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication requirements for HTTP routes.
The vulnerability exists due to authentication bypass by spoofing in gateway authentication when tokenless Tailscale header authentication is enabled for HTTP gateway auth call sites. A remote attacker can send requests using forwarded-header authentication to bypass authentication requirements for HTTP routes.
Only trusted-network deployments with tokenless Tailscale auth enabled are affected.
How to mitigate CVE-2026-32045
Install security update from vendor's website.