Reliance on Untrusted Inputs in a Security Decision in OpenClaw - CVE-2026-32029
Published: May 1, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to spoof the client ip used in security decisions.
The vulnerability exists due to reliance on untrusted inputs in a security decision in X-Forwarded-For header parsing when processing requests forwarded by trusted proxies that append or preserve header values. A remote attacker can supply a crafted X-Forwarded-For header to spoof the client ip used in security decisions.
The issue affects deployments behind trusted proxies with non-recommended forwarding behavior.