OpenClaw diffs viewer misclassifies proxied remote requests when `allowRemoteViewer` is disabled

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

OpenClaw diffs viewer misclassifies proxied remote requests when `allowRemoteViewer` is disabled

GHSA-3xv9-89fm-7h4r

Summary

The OpenClaw diffs viewer incorrectly identifies remote requests as local requests when a security setting is turned off, potentially allowing unauthorized access to sensitive data. This is a relatively low-risk issue, but it's still a good idea to update to the latest version of OpenClaw to ensure accurate request classification. If you're using a version of OpenClaw prior to 2026.3.31, update to the latest version to fix this issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.31	2026.3.31

Original title

OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

Original description

## Summary
diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

## Current Maintainer Triage
- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00

OpenClaw thanks @smaeljaish771 for reporting.

osv CVSS4.0 7.3

Vulnerability type

CWE-348

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026