CVE-2026-35656
Authentication Bypass in OpenClaw via X-Forwarded-For Header Spoofing
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35656 is an authentication bypass vulnerability in OpenClaw versions before 2026.3.22. It occurs due to improper handling of the X-Forwarded-For (XFF) header when the trustedProxies configuration is enabled. Attackers can inject forged forwarding headers containing spoofed loopback IP addresses (such as 127.0.0.1), which the system mistakenly accepts as legitimate client origins.
This spoofing allows attackers to bypass Canvas authentication and rate-limiting protections by masquerading as trusted loopback clients, effectively circumventing access controls and usage restrictions.
The vulnerability was fixed by modifying the gateway to ignore spoofed loopback addresses in the X-Forwarded-For header from trusted proxies, ensuring accurate client IP resolution and preventing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to bypass authentication mechanisms and rate-limiting protections by spoofing loopback IP addresses in forwarding headers.
- Unauthorized access to systems protected by OpenClaw's Canvas authentication.
- Circumvention of rate limits, potentially leading to abuse or denial of service.
- Attackers can masquerade as trusted internal clients, increasing the risk of privilege escalation or unauthorized actions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for spoofed loopback IP addresses (e.g., 127.0.0.1) in the X-Forwarded-For (XFF) headers of incoming requests, especially when the trustedProxies configuration is enabled.
You can inspect network traffic or server logs for suspicious X-Forwarded-For headers containing loopback addresses that should not originate from trusted proxies.
Suggested commands include using tools like tcpdump or Wireshark to capture HTTP headers, or grep commands on server logs to find X-Forwarded-For headers with loopback IPs.
- tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'X-Forwarded-For'
- grep -r 'X-Forwarded-For: 127.0.0.1' /var/log/openclaw/
- Use application-level logging or debugging to verify if requests with loopback IPs in XFF headers are being accepted as authenticated or bypassing rate limits.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed by ignoring spoofed loopback addresses in the X-Forwarded-For header when trustedProxies is configured.
If updating immediately is not possible, consider disabling or carefully restricting the trustedProxies configuration to prevent acceptance of untrusted forwarding headers.
Additionally, review and tighten authentication and rate-limiting rules to not rely solely on client IPs derived from X-Forwarded-For headers without validation.
Monitor logs for suspicious forwarding headers and consider implementing additional network-level filtering to block requests with spoofed loopback IPs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-35656 on compliance with common standards and regulations such as GDPR or HIPAA.