Owner Context Spoofing Vulnerability in OpenClaw by OpenClaw
CVE-2026-44118

8.5HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-44118?

The OpenClaw vulnerability allows unauthorized loopback clients to impersonate the owner by manipulating the sender-owner header metadata derived from server-issued bearer tokens. This can lead to unauthorized access to operations restricted to the owner, as it bypasses owner-gated functionality. Users and administrators of OpenClaw versions prior to 2026.4.22 should review and apply recommended patches to mitigate this security risk.

Affected Version(s)

OpenClaw 0 < 2026.4.22

OpenClaw 2026.4.22

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/3cb1a56bfc957...

patch

https://www.vulncheck.com/advisories/openclaw-owner-conte...

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 5, 2026

Credit

vladimir tokarev (@VladimirEliTokarev)

CVE-2026-44118 Data

JSON

Openclaw

What is CVE-2026-44118?

Affected Version(s)

References

CVSS V4

Timeline

Credit