GHSA-2rgf-hm63-5qph: OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

March 3, 2026

OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.

References

github.com/advisories/GHSA-2rgf-hm63-5qph
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1
github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747
github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph

Code Behaviors & Features

Detect and mitigate GHSA-2rgf-hm63-5qph with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →