CVE-2026-32029

OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing

CVSS 6.3 MEDIUMEPSS 0.2%CWE-345

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

19 mar 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Productos afectados

OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1 https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747 https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing