Anthony Disanti

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.21 **Description** OpenClaw improperly parses the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions, including authentication rate-limiting and IP-based access controls. The issue affects deployments behind trusted proxies with non-recommended forwarding behavior. The vulnerable component uses the left-most `X-Forwarded-For` value when processing requests from trusted proxies. This can lead to client-IP spoofing in security-sensitive areas such as authentication rate limits and identity classification. The API endpoint is not explicitly mentioned. The vulnerable parameter is the `X-Forwarded-For` header. **Recommendations** Versions prior to 2026.2.21 should be updated to version 2026.2.21 or later.