Low severity2.9NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026
CVE-2026-41403
CVE-2026-41403
Description
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.31 | 2026.3.31 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002cnvdPatchWEB
- github.com/advisories/GHSA-3xv9-89fm-7h4rghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4rnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41403ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassificationnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.31ghsaWEB
News mentions
0No linked articles in our index yet.