GHSA-844j-xrrq-wgh4: OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection

March 26, 2026

When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.

References

github.com/advisories/GHSA-844j-xrrq-wgh4
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4
github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4

Code Behaviors & Features

Detect and mitigate GHSA-844j-xrrq-wgh4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →