CVE-2026-44118

OpenClaw is affected by CVE-2026-44118 prior to version 2026.4.22. The vulnerability arises because loopback MCP owner context is derived from spoofable server-issued bearer tokens in request headers. This allows non-owner loopback clients to impersonate the owner by manipulating the sender-owner...