Primary

Context

OpenClaw Access Control Bypass Vulnerability via Proxied Remote Request Misclassification

Vulnerability

A vulnerability in OpenClaw versions prior to 2026.3.31 allows for unauthorized access by misclassifying proxied remote requests as local loopback connections in the diffs viewer. This issue arises when the 'allowRemoteViewer' option is disabled, enabling attackers to bypass access controls and remote viewer restrictions.

Impact

Exploitation of this vulnerability allows for unauthorized access by bypassing access controls, particularly in the diffs viewer.

Reproduction

The vulnerability can be reproduced by sending proxied remote requests to the OpenClaw diffs viewer while 'allowRemoteViewer' is disabled. The server will incorrectly identify these requests as local, thereby circumventing access controls and allowing unauthorized viewing.

Remediation

Users can upgrade to OpenClaw version 2026.3.31 or later to address this vulnerability.

Added: Apr 28, 2026, 8:58 PM

Updated: Apr 28, 2026, 8:58 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

7.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

7.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Access Control Bypass Vulnerability via Proxied Remote Request Misclassification

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating