OpenClaw Diffs Viewer Misclassifies Remote Requests as Local

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.3

OpenClaw Diffs Viewer Misclassifies Remote Requests as Local

GHSA-3xv9-89fm-7h4r

Summary

OpenClaw's diffs viewer can incorrectly identify some remote requests as coming from the same machine, even when it shouldn't. This could allow unauthorized access to certain features. Update OpenClaw to version 2026.3.31 or later to fix this issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

Original description

## Summary
diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

## Current Maintainer Triage
- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00

OpenClaw thanks @smaeljaish771 for reporting.

ghsa CVSS4.0 6.3

Vulnerability type

CWE-348

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026