CVE-2026-44118

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22

Description OpenClaw derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can bypass owner-gated operations by manipulating the sender-owner header metadata or the senderIsOwner flag, allowing them to present themselves as the owner and gain full owner control.

Recommendations Update to version 2026.4.22.

Fix

LPE

Authentication Bypass by Spoofing

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290CWE-284

Related Identifiers

CVE-2026-44118

GHSA-35VF-VW9F-Q3CR

GHSA-R6XH-PQHR-V4XH

Affected Products

Openclaw

CVE-2026-44118

Weakness Enumeration

Related Identifiers

Affected Products

References · 16