CVE-2026-32029

Description

### Summary OpenClaw used left-most `X-Forwarded-For` values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.19-2` - Patched: `2026.2.21` (planned next release) ### Impact Possible client-IP spoofing in security-sensitive paths (for example auth rate-limit identity and local/private classification) for deployments behind trusted proxies with non-recommended forwarding behavior. ### Scope Note OpenClaw docs recommend reverse proxies overwrite (not append/preserve) inbound forwarding headers. This condition reduces severity. ### Fix Commit(s) - `07039dc089e51589a213ec0d16f8d6f2cd871fa1` - `8877bfd11ec7760b115b2d0d7500a45da2749747` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.21`). After npm release is out, publish this advisory. OpenClaw thanks @AnthonyDiSanti for reporting.

How to fix CVE-2026-32029

To remediate CVE-2026-32029, upgrade the affected package to a fixed version below.

—upgrade to 2026.2.21 or later

Is CVE-2026-32029 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2026.2.21

CVSS scores

Source

osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N