CVE-2026-32302: CVE-2026-32302: Cross-Site WebSocket Hijacking in OpenClaw via Origin Validation Bypass

CVE-2026-32302: Cross-Site WebSocket Hijacking in OpenClaw via Origin Validation Bypass

Vulnerability ID: CVE-2026-32302
CVSS Score: 8.1
Published: 2026-03-12

OpenClaw versions prior to 2026.3.11 contain an origin validation flaw in the WebSocket connection handler. When configured to use a trusted proxy for authentication, the system incorrectly bypasses Origin header checks, leading to Cross-Site WebSocket Hijacking (CSWSH) and potential administrative takeover.

TL;DR

A logic flaw in OpenClaw (< 2026.3.11) allows Cross-Site WebSocket Hijacking when using trusted-proxy authentication. Attackers can hijack administrative sessions if an authenticated victim visits a malicious site.

---

Technical Details

• CWE ID: CWE-346 (Origin Validation Error)
• Attack Vector: Network
• CVSS v3.1: 8.1 (HIGH)
• Privileges Required: None
• User Interaction: Required
• Exploit Status: Unexploited / None
• CISA KEV: Not Listed

Affected Systems

• OpenClaw Gateway Service
• OpenClaw: < 2026.3.11 (Fixed in: 2026.3.11)

Code Analysis

Commit: ebed3bb

Fix origin validation bypass in trusted-proxy mode

Mitigation Strategies

• Upgrade OpenClaw to version 2026.3.11.
• Implement Origin header validation at the reverse proxy layer.
• Enforce SameSite=Strict attributes on session cookies managed by the proxy.

Remediation Steps:

1. Verify the current running version of OpenClaw.
2. Pull the updated Docker image or source code for version 2026.3.11.
3. Deploy the update and restart the gateway service.
4. Verify that the controlUi.allowedOrigins configuration contains only trusted domains.
5. Test WebSocket connectivity from a disallowed origin to confirm the fix.

References

• GHSA-5wcw-8jjv-m286 Advisory
• Fix Commit: ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b
• CVE.org Record

---

Read the full report for CVE-2026-32302 on our website for more details including interactive diagrams and full exploit analysis.