CVE-2026-44118
Source: nvd.nist.gov
Published:
<p>OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.</p> <p>Denotes Vulnerable Softw