GHSA-48vw-m3qc-wr99: OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths

March 26, 2026

Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path.

References

github.com/advisories/GHSA-48vw-m3qc-wr99
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e
github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99

Code Behaviors & Features

Detect and mitigate GHSA-48vw-m3qc-wr99 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →