CVE-2026-32029

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1	Patch
https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

25 Mar 2026, 15:16

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a 2026.2.21 analizan incorrectamente el valor del encabezado X-Forwarded-For más a la izquierda cuando las solicitudes se originan de proxies de confianza configurados, permitiendo a los atacantes suplantar direcciones IP del cliente. En cadenas de proxies que añaden o preservan valores de encabezado, los atacantes pueden inyectar contenido de encabezado malicioso para influir en decisiones de seguridad, incluyendo la limitación de tasa de autenticación y controles de acceso basados en IP.
CVSS	v2 : ~~unknown~~ v3 : ~~3.7~~	v2 : unknown v3 : 5.3

23 Mar 2026, 15:19

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1 -~~	() https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747 -~~	() https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing -~~	() https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing - Third Party Advisory
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-25 15:16

NVD link : CVE-2026-32029

Mitre link : CVE-2026-32029

CVE.ORG link : CVE-2026-32029

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-345

Insufficient Verification of Data Authenticity

5.3 /10