OpenClaw (npm), Origin Bypass, CVE-2026-XXXXX (Critical)

Listen to this Post

The vulnerability resides in OpenClaw versions prior to 2026.3.11 where WebSocket connections bypass origin validation when `gateway.auth.mode` is set to trusted-proxy. The handshake logic incorrectly treats proxy-delivered requests as exempt from browser origin checks whenever an Origin header appears alongside proxy headers. This exemption allows browser-originated connections to skip normal origin-validation paths despite being browser requests. Because trusted-proxy authentication produces a shared authenticated operator context, the affected path retains requested operator scopes after handshake. A page served from an untrusted origin can connect through a trusted reverse proxy and inherit proxy-authenticated identity. This establishes a privileged operator session without proper origin verification. In verified impact, attacker-origin pages successfully requested `operator.admin` and called config.get, exposing sensitive configuration. The same authenticated operator path could permit other privileged reads or mutations available to operator-class callers. The issue affects deployments exposing Gateway behind trusted reverse proxies relying on browser origin checks like controlUi.allowedOrigins. An attacker causing victim browser to load malicious page reaching proxy endpoint can establish cross-site WebSocket connection and call privileged Gateway methods. The WebSocket handshake logic treated proxy-delivered requests exempt from browser origin check when Origin header present with proxy headers. In trusted-proxy mode, exemption allowed browser-originated connections to skip normal origin-validation path even though still browser requests. Because trusted-proxy authentication produces shared authenticated operator context, affected path retained requested operator scopes after handshake. This made browser origin check the missing boundary between untrusted origin and authenticated operator-class session.

DailyCVE Form:

Platform: openclaw npm
Version: <2026.3.11
Vulnerability : Origin Bypass
Severity: Critical
date: Mar 12 2026

Prediction: Mar 19 2026

What Undercode Say:

Analytics:

  • Package: openclaw npm
  • Affected versions: All prior to 2026.3.11
  • Fixed version: 2026.3.11
  • Fix commit: ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b
  • Attack vector: Cross-site WebSocket hijacking through trusted proxy
  • Privilege gained: Operator-class session with admin scopes

Bash Commands and Codes:

Check installed OpenClaw version
npm list openclaw
Update to patched version
npm install [email protected]
Verify fix commit in local installation
npm view [email protected] dist.tarball | xargs curl -s | tar -tz | grep websocket
Test for vulnerable proxy header handling
curl -H "Origin: https://malicious-site.com" \
-H "X-Forwarded-For: 127.0.0.1" \
-H "X-Forwarded-Proto: https" \
http://your-gateway:18789/ws
Check if gateway.auth.mode is set to trusted-proxy
grep -r "gateway.auth.mode" ~/.openclaw/config/
Audit allowedOrigins configuration
cat ~/.openclaw/config/gateway.yaml | grep -A 5 "controlUi.allowedOrigins"
WebSocket connection test with malicious origin
cat << EOF > test-ws-bypass.html

<script>
const ws = new WebSocket('ws://your-gateway:18789/ws', {
headers: {
'Origin': 'https://evil.com',
'X-Forwarded-For': '10.0.0.1'
}
});
ws.onopen = () => ws.send(JSON.stringify({method: "config.get"}));
</script>

EOF
Monitor WebSocket handshakes for origin validation
sudo tcpdump -i any -A -s 0 port 18789 | grep -i "origin|websocket"
Verify patch applied
openclaw --version | grep "2026.3.11"

How Exploit:

  1. Attacker hosts malicious JavaScript at `https://evil.com`
  2. Victim browses to evil.com while OpenClaw Gateway runs with `trusted-proxy` mode
  3. Malicious page opens WebSocket connection to vulnerable Gateway endpoint

4. Browser automatically includes Origin header from evil.com

  1. Gateway sees proxy headers (X-Forwarded-) and exempts request from origin validation

6. Connection inherits proxy-authenticated operator context

7. Attacker sends `operator.admin` and `config.get` method calls

  1. Gateway executes privileged operations believing request is from trusted proxy

9. Sensitive configuration data exfiltrated to attacker’s server

Protection from this CVE:

IMMEDIATE ACTION: Upgrade to fixed version
npm update openclaw@latest
Verify upgrade completed
openclaw --version
Restart OpenClaw gateway service
systemctl restart openclaw-gateway
If unable to upgrade immediately, apply workarounds:
1. Restrict reverse-proxy to trusted origins only
cat >> ~/.openclaw/config/gateway.yaml << EOF
controlUi:
allowedOrigins:
- "https://trusted-domain.com"
- "https://internal.corp.net"
EOF
2. Disable trusted-proxy mode temporarily
sed -i 's/gateway.auth.mode: trusted-proxy/gateway.auth.mode: token/' ~/.openclaw/config/gateway.yaml
3. Block browser-reachable WebSocket endpoints at proxy level
Nginx example:
location /ws {
if ($http_origin !~ (https://trusted-domain.com)) {
return 403;
}
proxy_pass http://localhost:18789/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
4. Rotate all authentication tokens after upgrade
openclaw auth rotate --all
5. Enable strict origin validation logging
export OPENCLAW_DEBUG_WEBSOCKET=true

Impact:

  • Confidentiality breach: Attackers can read sensitive configuration via `config.get`
    – Privilege escalation: Untrusted origins gain operator-class session privileges
  • Authentication bypass: Browser origin validation completely circumvented
  • Data exposure: Internal configuration, API keys, and service credentials leaked
  • Session hijacking: Attacker inherits proxy-authenticated identity without credentials
  • Method invocation: Privileged Gateway methods callable from malicious pages
  • Persistence: Attacker maintains operator session for continued access
  • Supply chain risk: Trusted reverse proxy becomes attack amplifier
  • Compliance violation: Unauthorized access to protected configuration data
  • Blast radius expansion: Any service behind trusted proxy becomes reachable

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top