CVE-2026-41403

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

PT-2026-35786

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

Summary diffs viewer misclassifies proxied remote requests as loopback when allowRemoteViewer is disabled Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but...

Use of Less Trusted Source

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Use of Less Trusted Source in the diffs viewer process when proxied remote requests are incorrectly classified as loopback addresses if allowRemoteViewer is disabled. An attacker can gain...

GHSA-3XV9-89FM-7H4R OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

Summary diffs viewer misclassifies proxied remote requests as loopback when allowRemoteViewer is disabled Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but...