High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
CVE-2026-32302
Description
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.11 | 2026.3.11 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-5wcw-8jjv-m286ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32302ghsaADVISORY
- github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036bghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.11ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.