Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector but AC:H because attacker must control or compromise an MCP endpoint (AT:P precondition); PR:L for required infrastructure access; C:H for direct credential exposure, I:L for minor integrity side-effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
AnalysisAI
OpenClaw's streamable-http MCP server implementation leaks operator-configured custom headers to attacker-controlled origins during cross-origin HTTP redirects. All OpenClaw versions before 2026.5.12 are affected, and any deployment that places sensitive values - API keys, tenant-routing credentials, or bearer tokens - in operator-configured custom headers is exposed. An attacker who controls or has compromised an MCP endpoint can trigger a cross-origin redirect, causing OpenClaw to forward those headers to an origin the attacker controls, resulting in credential theft. No public exploit has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Technical ContextAI
OpenClaw implements the Model Context Protocol (MCP) over a streamable-HTTP transport layer. In standard HTTP client behavior, custom request headers should be stripped when a redirect crosses an origin boundary (RFC 9110 §15.4), because the destination of the redirect is untrusted relative to the original target. CWE-522 (Insufficiently Protected Credentials) captures the root cause: OpenClaw does not enforce this stripping, so operator-injected headers - which frequently carry authentication material such as API keys or multi-tenant routing tokens - are blindly forwarded to whatever origin the redirect resolves to. The affected CPE is cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*, covering all versions prior to the 2026.5.12 release. The CVSS 4.0 AT:P metric confirms that specific attack conditions (adversarial control of an MCP endpoint) are required, distinguishing this from a fully opportunistic flaw.
RemediationAI
The primary fix is to upgrade OpenClaw to version 2026.5.12 or later, which resolves the cross-origin header forwarding behavior. Full details are in the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh. If immediate upgrade is not possible, a targeted compensating control is to remove sensitive credentials from operator-configured custom headers and instead inject them at the application layer (e.g., via per-request credential lookup rather than static header injection), which eliminates the exposure path without requiring a software update - the trade-off is increased application complexity. Alternatively, operators can restrict MCP endpoint targets to a strict allowlist of trusted origins, preventing OpenClaw from following redirects to unexpected destinations; this does not fix the underlying header-forwarding flaw but reduces the attacker's ability to trigger it. Network-level controls that block outbound HTTP requests to non-approved origins provide an additional defense layer but require careful maintenance of the allowlist.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37142
GHSA-x7cf-6gp3-q5f8