OpenClaw Client IP Spoofing Vulnerability via X-Forwarded-For Header Parsing
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.2.21, where the left-most X-Forwarded-For header value is improperly parsed when requests come from trusted proxies. This flaw allows attackers to spoof client IP addresses. In proxy chains that append or preserve header values, injected header content can manipulate security decisions related to authentication rate-limiting and IP-based access controls.
Impact
Exploitation of this vulnerability can lead to client IP spoofing, affecting security-sensitive functions such as authentication rate-limiting and IP-based access controls.
Reproduction
To reproduce this vulnerability, send a request from a trusted proxy that appends or preserves X-Forwarded-For header values. Include a spoofed IP address in the left-most position of the X-Forwarded-For header. The application will incorrectly trust this value, allowing for manipulation of IP-based security measures.
Remediation
Users can update to OpenClaw version 2026.2.21 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.