CVE-2026-41403
OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
CVSS Score
2.9
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.
| CWE | CWE-807 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Apr 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new low vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.3.31
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r github.com: https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c vulncheck.com: https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification
Credits
๐ smaeljaish771 KeenSecurityLab