Skip to content

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode #499631

New issue
New issue
Open
#499141
Open
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode#499631
#499141
Labels
1.severity: securityIssues which raise a security issue, or PRs that fix one
@nixpkgs-security-tracker

Description

@nixpkgs-security-tracker
nixpkgs-security-tracker
bot
opened on Mar 13, 2026

Description

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.

CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • CVSS version: 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
Affected packages
  • openclaw (2026.2.26@nixos-unstable)

Additional comment

Upstream advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286

Metadata

Metadata

Assignees

No one assigned

    Labels

    1.severity: securityIssues which raise a security issue, or PRs that fix one

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions