Main Vulnerability Database Vulnerabilities #VU132706

Authentication Bypass by Spoofing in OpenClaw - #VU132706

Published: May 29, 2026

Vulnerability identifier: #VU132706

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-290

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to spoof operator identity.

The vulnerability exists due to authentication bypass by spoofing in the Gateway trusted-proxy identity header handling when sending requests directly to the proxy-facing Gateway port from the same host. A local user can supply forged identity headers to spoof operator identity.

Only deployments with the affected feature enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-rggc-m335-3wvj

Authentication Bypass by Spoofing in OpenClaw - #VU132706

Detailed vulnerability description

Remediation

Sources

Please verify you're human