HIGH 7.1 npm
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
GHSA-mhr7-2xmv-4c4q · CVE-2026-41347
Published · Modified
Description
Summary
HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: This is a real trusted-proxy HTTP CSRF or browser-origin gap in released tags, but it is not critical because it depends on identity-bearing trusted-proxy browser deployments rather than the shared-secret HTTP operator model.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d— 2026-03-31T19:49:26+09:00
OpenClaw thanks @AntAISecurityLab for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41347
- WEB https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://github.com/openclaw/openclaw/releases/tag/v2026.3.31
- WEB https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints
Ready to move
Start Securing
Free, no credit card | First findings in minutes