CVE-2026-32029: OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
(updated )
OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.
References
- github.com/advisories/GHSA-2rgf-hm63-5qph
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1
- github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747
- github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph
- nvd.nist.gov/vuln/detail/CVE-2026-32029
- www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing
Code Behaviors & Features
Detect and mitigate CVE-2026-32029 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →