CVE-2026-32029
MEDIUM5.3EPSS 0.04%OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
描述
### Summary OpenClaw used left-most `X-Forwarded-For` values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.19-2` - Patched: `2026.2.21` (planned next release) ### Impact Possible client-IP spoofing in security-sensitive paths (for example auth rate-limit identity and local/private classification) for deployments behind trusted proxies with non-recommended forwarding behavior. ### Scope Note OpenClaw docs recommend reverse proxies overwrite (not append/preserve) inbound forwarding headers. This condition reduces severity. ### Fix Commit(s) - `07039dc089e51589a213ec0d16f8d6f2cd871fa1` - `8877bfd11ec7760b115b2d0d7500a45da2749747` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.21`). After npm release is out, publish this advisory. OpenClaw thanks @AnthonyDiSanti for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.21
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32029
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1
- WEBhttps://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph
- WEBhttps://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing