CVE-2026-44118
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request heade
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
HIGH · CVSS 7.8
EPSS 0.00012
Schedule remediation
- CVSS base score ≥ 7.0
Sigma rules0
YARA rules0