PT-2026-25413 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.19-2
  • Patched: 2026.2.21 (planned next release)

Impact

Possible client-IP spoofing in security-sensitive paths (for example auth rate-limit identity and local/private classification) for deployments behind trusted proxies with non-recommended forwarding behavior.

Scope Note

OpenClaw docs recommend reverse proxies overwrite (not append/preserve) inbound forwarding headers. This condition reduces severity.

Fix Commit(s)

  • 07039dc089e51589a213ec0d16f8d6f2cd871fa1
  • 8877bfd11ec7760b115b2d0d7500a45da2749747

Release Process Note

patched versions is pre-set to the planned next release (2026.2.21). After npm release is out, publish this advisory.
OpenClaw thanks @AnthonyDiSanti for reporting.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-807

Related Identifiers

GHSA-2RGF-HM63-5QPH

Affected Products

Openclaw