GHSA-3H23-RRPC-3P87 Caddy Defender trusted proxy client IP bypass

Impact Caddy Defender used r.RemoteAddr when evaluating whether a request should be blocked. RemoteAddr is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original...

PT-2026-42048

Impact Caddy Defender used r.RemoteAddr when evaluating whether a request should be blocked. RemoteAddr is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

CVE-2026-24000

Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limitin...

CVE-2026-46356 Fleet: IP spoofing allows bypassing API rate limiting

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...

CVE-2026-46356

Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...

GHSA-MXMP-WR3W-RVQX Fleet: IP spoofing allows bypassing API rate limiting

Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP...

CVE-2026-40875 mailcow: dockerized vulnerable to stored XSS in user login history real_rip

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

CVE-2026-40875 mailcow: dockerized vulnerable to stored XSS in user login history real_rip

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

CVE-2026-6599 langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

CVE-2026-6599

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

Bulwark Webmail 安全漏洞

Bulwark Webmail is an open-source, self-hosted webmail client developed by Bulwark Mail. Versions of Bulwark Webmail prior to 1.4.11 contained security vulnerabilities. These vulnerabilities stemmed from the getClientIP function, which trusted the X-Forwarded-For header provided by the client. Th...

CVE-2026-32029 OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header...

CVE-2026-32029

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header...

GHSA-2RGF-HM63-5QPH OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

Summary OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP. Affected Packages / Versions - Package:...

OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client for example 1.2.3.4 and ::ffff:1.2.3.4 were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split...

IP Rate Limiting Bypass

misskey-js is vulnerable to an IP rate limiting bypass. The vulnerability is due to improper handling of the X-Forwarded-For header and an insecure default trustProxy configuration, which allows an attacker to forge client IP values and bypass rate-limiting controls...

CVE-2025-65328

Mega-Fence webgate-lib. 25.1.914 and prior trusts the first value of the X-Forwarded-For XFF header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant...

EUVD-2026-0812

Mega-Fence webgate-lib. 25.1.914 and prior trusts the first value of the X-Forwarded-For XFF header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant...

CVE-2025-69203 Signal K Server Vulnerable to Access Request Spoofing

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against...