OpenClaw Cross-Site Request Forgery Vulnerability in Trusted-Proxy Mode
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in OpenClaw versions prior to 2026.3.31. The issue arises in HTTP operator endpoints, which lack proper browser-origin validation when trusted-proxy mode is enabled. This oversight allows attackers to send malicious requests from a browser, exploiting the trusted-proxy deployment to perform unauthorized actions on the affected HTTP operator endpoints.
Impact
Exploitation of this vulnerability allows for cross-site request forgery attacks, where an attacker can perform unauthorized actions on behalf of a user.
Reproduction
To reproduce this vulnerability, send a request from a browser that is recognized as a trusted proxy, targeting an HTTP operator endpoint. Ensure that the 'Origin' header is set to a value not included in the endpoint's allowlist. The request will be accepted, and any actions associated with it will be performed, despite the lack of proper origin validation.
Remediation
Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.