CVE-2026-35656: OpenClaw auth bypass

CISO Take

OpenClaw before 2026.3.22 allows unauthenticated remote attackers to inject forged X-Forwarded-For headers that the framework's trustedProxies logic accepts as legitimate loopback traffic, bypassing canvas authentication and rate-limiting controls entirely. The attack requires zero credentials, no user interaction, and low complexity — meaning any public-facing OpenClaw deployment with trustedProxies configured is one crafted HTTP header away from full authentication bypass. Blast radius is currently limited (4 tracked downstream dependents, no CISA KEV entry, no EPSS data, no public exploit as of disclosure); however, the OpenClaw ecosystem has already been actively targeted for credential exfiltration via malicious skills (AIID #1368), signaling attacker familiarity with this platform and elevating the risk of opportunistic exploitation. Upgrade to OpenClaw 2026.3.22 immediately; if patching is delayed, restrict trustedProxies to verified infrastructure IPs and enforce X-Forwarded-For stripping at the network perimeter.

Sources: NVD GitHub Advisory ATLAS VulnCheck AIID

What is the risk?

Medium severity by CVSS (6.5), but the exploitability profile is worse than the score implies for exposed deployments: zero prerequisites (no authentication, no user interaction, low complexity, network-accessible) mean any external attacker can attempt exploitation with a trivial HTTP header modification. The bypass simultaneously neutralizes two protective controls — canvas authentication and rate limiting — compounding impact in AI agent contexts where unrestricted API access can cascade into tool invocation or data exposure. With 395 historical CVEs in this package, OpenClaw's overall security posture warrants scrutiny, though the limited known adoption (4 dependents) constrains aggregate exposure at this time.

How does the attack unfold?

Reconnaissance

Attacker identifies a public-facing OpenClaw deployment and infers trustedProxies is enabled via documentation, response headers, or error messages.

AML.T0006

Header Forgery

Attacker crafts an HTTP request with a forged 'X-Forwarded-For: 127.0.0.1' header to impersonate a loopback client trusted by the proxy configuration.

AML.T0049

Authentication Bypass

OpenClaw's trustedProxies logic accepts the forged loopback address, granting attacker loopback-level privileges and disabling canvas authentication and rate limiting.

AML.T0107

Unauthorized Agent Access

Attacker invokes agent tools, accesses conversation data, or probes API endpoints without authentication constraints or rate-limiting throttling.

AML.T0053

Reconnaissance

Attacker identifies a public-facing OpenClaw deployment and infers trustedProxies is enabled via documentation, response headers, or error messages.

AML.T0006

Header Forgery

Attacker crafts an HTTP request with a forged 'X-Forwarded-For: 127.0.0.1' header to impersonate a loopback client trusted by the proxy configuration.

AML.T0049

Authentication Bypass

OpenClaw's trustedProxies logic accepts the forged loopback address, granting attacker loopback-level privileges and disabling canvas authentication and rate limiting.

AML.T0107

Unauthorized Agent Access

Attacker invokes agent tools, accesses conversation data, or probes API endpoints without authentication constraints or rate-limiting throttling.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade to OpenClaw 2026.3.22 or later (commits 630f1479c4 and fc2d29ea92 address the root cause).
Workaround: Disable trustedProxies entirely or restrict to explicitly verified, network-controlled upstream proxy IP ranges.
Network controls: Configure reverse proxies (nginx, Caddy, Traefik) to strip or rewrite X-Forwarded-For headers before forwarding to OpenClaw, preventing client-supplied header injection from reaching the framework.
Detection: Audit access logs for requests carrying X-Forwarded-For headers containing loopback addresses (127.0.0.1, ::1, localhost) that did not originate from a trusted proxy tier; flag these as suspicious.
Retrospective: Review whether canvas authentication or rate-limiting was bypassed historically on affected deployments and assess whether unauthorized tool invocations occurred.

How is it classified?

Auth Bypass Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15(5) - Cybersecurity measures for high-risk AI systems

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain deployed AI system value and risk management

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35656?

OpenClaw before 2026.3.22 allows unauthenticated remote attackers to inject forged X-Forwarded-For headers that the framework's trustedProxies logic accepts as legitimate loopback traffic, bypassing canvas authentication and rate-limiting controls entirely. The attack requires zero credentials, no user interaction, and low complexity — meaning any public-facing OpenClaw deployment with trustedProxies configured is one crafted HTTP header away from full authentication bypass. Blast radius is currently limited (4 tracked downstream dependents, no CISA KEV entry, no EPSS data, no public exploit as of disclosure); however, the OpenClaw ecosystem has already been actively targeted for credential exfiltration via malicious skills (AIID #1368), signaling attacker familiarity with this platform and elevating the risk of opportunistic exploitation. Upgrade to OpenClaw 2026.3.22 immediately; if patching is delayed, restrict trustedProxies to verified infrastructure IPs and enforce X-Forwarded-For stripping at the network perimeter.

Is CVE-2026-35656 actively exploited?

No confirmed active exploitation of CVE-2026-35656 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35656?

1. Patch: Upgrade to OpenClaw 2026.3.22 or later (commits 630f1479c4 and fc2d29ea92 address the root cause). 2. Workaround: Disable trustedProxies entirely or restrict to explicitly verified, network-controlled upstream proxy IP ranges. 3. Network controls: Configure reverse proxies (nginx, Caddy, Traefik) to strip or rewrite X-Forwarded-For headers before forwarding to OpenClaw, preventing client-supplied header injection from reaching the framework. 4. Detection: Audit access logs for requests carrying X-Forwarded-For headers containing loopback addresses (127.0.0.1, ::1, localhost) that did not originate from a trusted proxy tier; flag these as suspicious. 5. Retrospective: Review whether canvas authentication or rate-limiting was bypassed historically on affected deployments and assess whether unauthorized tool invocations occurred.

What systems are affected by CVE-2026-35656?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI API gateways, multi-tenant AI agent deployments.

What is the CVSS score for CVE-2026-35656?

CVE-2026-35656 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI API gatewaysmulti-tenant AI agent deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15(5)

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.

Exploitation Scenario

An attacker targeting an enterprise AI agent deployment discovers OpenClaw is running behind a load balancer with trustedProxies configured. The attacker sends a single crafted HTTP POST to the OpenClaw API endpoint with the header 'X-Forwarded-For: 127.0.0.1'. OpenClaw's proxy trust logic accepts the forged loopback address, treating the external attacker as a local client and bypassing canvas authentication and rate limiting in a single step. The attacker now freely enumerates available agent tools, queries conversation history, and invokes agent actions — such as file access or external API calls — that require authenticated sessions. Given AIID #1368's documented pattern of credential theft via OpenClaw's skills ecosystem, a sophisticated adversary could chain this bypass with a malicious skill to exfiltrate credentials without triggering rate-limit-based anomaly detection.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.