Ghostwire

CVE-2026-44118: OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request...

HIGH CVSS 7.8

Published: May 6, 2026 | Last Modified: May 6, 2026

Description

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.

Ghostwire Analysis — What This Means Practically

High CVSS score indicates significant risk — exploitation could lead to substantial data exposure or system compromise.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References

github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19
github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh
www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-he