Listen to this Post
How the Mentioned CVE Works
The vulnerability exists in OpenClaw’s gateway component when the `gateway.trustedProxies` option is configured. The gateway parses `X-Forwarded-For` and similar headers to determine the client’s real IP address for authentication and rate-limiting. Due to improper validation, the code failed to ignore loopback addresses (e.g., 127.0.0.1) that appear as hops in the forwarded chain. An attacker could inject a spoofed loopback entry into the `Forwarded` or `X-Forwarded-For` header. Because the gateway treated this loopback hop as a valid part of the trusted proxy chain, it would incorrectly resolve the client IP to the spoofed value. This effectively allows an attacker to bypass security controls that rely on the client’s real IP address. Authentication mechanisms that trust the resolved client identity could be subverted. Rate-limiting policies based on the client IP could be circumvented, enabling brute-force attacks or denial of service. The flaw resided in the client resolution logic within src/gateway/net.ts. The fix involves strictly ignoring any loopback addresses encountered in forwarding headers before applying trusted-proxy resolution. This ensures that only external, untrusted IPs are considered as the client origin. The vulnerability affects all versions prior to the patched release 2026.3.22.
dailycve form
Platform: OpenClaw npm
Version: < 2026.3.22
Vulnerability: Proxy IP Spoofing
Severity: Medium
date: 2026-03-26
Prediction: 2026-03-29
What Undercode Say:
Check current OpenClaw version npm list openclaw Verify trustedProxies configuration grep -r "trustedProxies" /path/to/openclaw/config Simulate spoofed loopback hop in X-Forwarded-For curl -H "X-Forwarded-For: 127.0.0.1, 203.0.113.5" http://target-gateway/api/auth
Exploit:
1. Identify OpenClaw gateway with `trustedProxies` enabled.
- Craft HTTP request containing `Forwarded: for=127.0.0.1;by=_` or
X-Forwarded-For: 127.0.0.1. - Ensure the loopback address appears as the first or intermediate hop.
- Gateway resolves client IP as loopback, bypassing IP-based restrictions.
Protection from this CVE
- Upgrade OpenClaw to version 2026.3.22 or later.
- If upgrade is not possible, avoid using `trustedProxies` with untrusted networks.
- Implement external reverse proxy with strict header sanitization to strip loopback entries.
- Monitor gateway logs for unexpected client IPs resolved as
127.0.0.1.
Impact
- Authentication bypass for features relying on resolved client IP.
- Rate-limit bypass enabling brute-force attacks.
- Inaccurate audit logging due to spoofed origin IPs.
- Potential for downstream service compromise if auth decisions are trust-based.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

