CVE-2026-53832: OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration

Synopsis

This is an identity header forgery vulnerability in OpenClaw versions before 2026.5.18. An attacker with local access to the proxy-facing Gateway port can supply crafted HTTP headers that impersonate a trusted proxy, bypassing identity validation without any authentication. Successful exploitation lets the attacker assume operator identity and escalate privileges within the application. A patched-image rebuild at version 2026.5.18 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; the vulnerable Gateway port is local to the machine, so no over-the-network access path is required.

• AuthenticationNot required

  No credentials or account are required; the attacker only needs local access to the Gateway port to begin sending forged headers.

• Victim interactionNot required

  The exploit is self-contained and does not require any action from another user or operator to succeed.

• Attack complexityDetail

  The exploit is reliable and condition-free in terms of logic, though the CVSS AT:P token notes that a specific precondition (access to the proxy-facing Gateway port) must already be in place for the attack to work.

Blast Radius

• Reads identity context and session data belonging to operator-level accounts, including any credentials or tokens stored under that identity.
• Writes or modifies application state as an operator, including configuration changes and privilege assignments for other users.
• Allows the attacker to impersonate an operator account persistently for the duration of their local access, enabling further lateral movement within the application.