Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OpenClaw: Untrusted Sites Can Access Sensitive Settings
GHSA-5wcw-8jjv-m286
CVE-2026-32302
Summary
If a website you visit is hacked, it could use a proxy server to access sensitive settings in OpenClaw. This is a concern if OpenClaw is used behind a trusted proxy server and relies on website restrictions to control access. To fix this, update OpenClaw to version 2026.3.11 or later.
What to do
- Update openclaw to version 2026.3.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.11 |
Original title
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arri...
Original description
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.
ghsa CVSS3.1
8.1
Vulnerability type
CWE-346
Published: 13 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026