OpenClaw, Information Exposure via Cross-Origin Redirect, CVE-2026-53840 (High) -DC-Jul2026-818

Listen to this Post

How CVE-2026-53840 Works

OpenClaw supports remote MCP (Model Context Protocol) Streamable HTTP servers, allowing operators to configure custom headers—such as API keys, bearer tokens, or tenant-routing credentials—for authentication and routing purposes. In affected versions, when an MCP endpoint responds with a cross-origin redirect (e.g., a 301 or 302 status pointing to a different domain), OpenClaw’s HTTP client follows that redirect while preserving all operator-configured custom headers.
This behavior stems from the client’s header forwarding logic, which lacks proper origin-based filtering for custom headers. The client does not strip or re-evaluate these sensitive headers when the destination origin changes, allowing them to be transmitted to the redirect target. An attacker who controls or compromises an MCP endpoint can craft a redirect response that points to an attacker-owned server, thereby exfiltrating the custom headers originally intended only for the trusted MCP service.
The vulnerability is limited to MCP Streamable HTTP servers that have custom headers configured under mcp.servers..headers. It does not expose unrelated OpenClaw credentials or affect other transport types. The practical impact depends on the sensitivity of the headers configured—if they include API keys, authentication tokens, or tenant identifiers, an attacker could gain unauthorized access to backend services, impersonate the OpenClaw instance, or pivot to other systems.
The issue was addressed by modifying the cross-origin redirect handling to strip all non-essential headers when the origin changes, ensuring that only safe, benign headers survive an origin change. This fix was first included in the stable release 2026.5.12.

DailyCVE Form:

Platform: ……. OpenClaw
Version: …….. Affected ≤ 2026.5.8
Vulnerability :…… Header forwarding via redirect
Severity: ……. High
date: ………. 2026-05-28

Prediction: …… Patch expected 2026-06-05

What Undercode Say

Analytics:

The vulnerability arises from a missing origin check in the HTTP client’s redirect handling. The fix implements a strict allowlist for headers that may survive a cross-origin redirect, limiting them to content-negotiation and cache-validation headers.

Bash commands to check your OpenClaw version:

npm list openclaw
or
cat package.json | grep openclaw

Code snippet showing the vulnerable behavior (conceptual):

// Vulnerable: headers are preserved across redirects
const response = await fetch(url, {
headers: customHeaders,
redirect: 'follow'
});
// Redirect target receives all customHeaders

Code snippet showing the fixed behavior:

// Fixed: safe-header allowlist applied on cross-origin redirect
const response = await fetch(url, {
headers: customHeaders,
redirect: 'follow',
// Internal logic strips non-allowlisted headers on origin change
});

Exploit

An attacker sets up a malicious MCP server that responds to any request with a 302 redirect to https://attacker.com/exfil`. When OpenClaw connects to this server with custom headers (e.g.,X-Api-Key: secret`), the client follows the redirect and sends the `X-Api-Key` header to the attacker’s domain. The attacker can then use this key to impersonate the OpenClaw instance against the legitimate backend.

Protection

  • Upgrade to OpenClaw version 2026.5.12 or later.
  • Avoid using custom MCP headers with servers that are not fully trusted.
  • Rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.
  • As a general hardening measure, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Impact

When the affected feature is enabled and reachable, this vulnerability could allow an attacker to exfiltrate sensitive custom headers—such as API keys, bearer tokens, or tenant-routing credentials—to an attacker-controlled origin. The practical impact depends on the operator’s configuration and whether lower-trust input can reach that path. In the worst case, an attacker could gain unauthorized access to backend services, perform actions with elevated privileges, or pivot to other internal systems.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top