Description
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.
Published: 2026-03-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Header Disclosure
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions before 2026.3.7 include a flaw in the fetchWithSsrFGuard function that fails to filter custom authorization headers when following redirects across another origin. As a result, a redirect that points to a different domain can cause the original request’s headers such as X-Api-Key or Private-Token to be forwarded to the attacker’s server. This exposure leaks credentials that are otherwise intended only for the target destination. The weakness maps to memory data protection failures (CWE‑522) and would allow an attacker to read sensitive authentication tokens.

Affected Systems

Affected software is the OpenClaw web framework, all releases earlier than 2026.3.7, running on a Node.js environment. The vulnerability is tied to the OpenClaw package as identified by the CNA. Users deploying these versions should check their installed package version; any earlier release is vulnerable.

Risk and Exploitability

The flaw carries a high severity CVSS score of 8.8 but has a very low probability of exploitation with an EPSS below 1 %. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger a cross‑origin redirect by manipulating input to fetchWithSsrFGuard. Although the conditions for exploitation are not trivial, the potential impact of credential theft makes the risk significant. Until a patch is applied the vulnerability remains a credible threat.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenClaw patch for version 2026.3.7 or later.
  • If upgrading is not immediately possible, prevent the forwarding of custom authorization headers across redirects by disabling the redirect logic within fetchWithSsrFGuard or adding server‑side validation to reject cross‑origin requests.
  • Configure the web server to block or strip sensitive headers such as X‑Api‑Key and Private‑Token when a redirect is detected.
  • Monitor the OpenClaw project repository and security advisory pages for additional updates or security releases.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mgf-v5j7-45cr OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.
Title OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T13:45:11.059Z

Reserved: 2026-03-16T21:19:00.742Z

Link: CVE-2026-32913

cve-icon Vulnrichment

Updated: 2026-03-24T13:45:06.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:30.433

Modified: 2026-03-24T18:01:44.283

Link: CVE-2026-32913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:22Z

Weaknesses