PT-2026-38251 · Openclaw · Openclaw

Vladimir Tokarev

·

Published

2026-04-23

·

Updated

2026-05-28

·

CVE-2026-44118

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22
Description OpenClaw derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can bypass owner-gated operations by manipulating the sender-owner header metadata or the senderIsOwner flag, allowing them to present themselves as the owner and gain full owner control.
Recommendations Update to version 2026.4.22.

Exploit

Fix

LPE

Authentication Bypass by Spoofing

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08023
CVE-2026-44118
GHSA-35VF-VW9F-Q3CR
GHSA-R6XH-PQHR-V4XH

Affected Products

Openclaw