Description
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.
Published: 2026-04-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to craft cross‑origin redirect chains that forward Authorization headers sent to the media download endpoint, resulting in the accidental exposure of authentication credentials. This credential leakage can provide an attacker with valid tokens or credentials that may grant unauthorized access to sensitive resources. The weakness is identified as a credential exposure flaw, consistent with the CWE-522 classification.

Affected Systems

The issue affects installations of OpenClaw running any node.js version before 2026.3.31. All deployments that expose media download functionality without restricting cross‑origin redirects are susceptible.

Risk and Exploitability

The CVSS score of 6.0 indicates medium severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been reported. Attackers would need to induce a legitimate browser to follow a malicious cross‑origin redirect chain, a scenario that is plausible for phishing or compromised sites, but requires specific setup rather than an arbitrary remote exploitation.

Generated by OpenCVE AI on April 28, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenClaw patch released in version 2026.3.31 or later, which stops forwarding Authorization headers across cross‑origin redirects.
  • Configure the application or web server to reject any cross‑origin redirects that would expose Authorization headers, ensuring the header is omitted or the request is blocked.
  • Disable cross‑origin redirects for media download endpoints entirely, or enforce a strict same‑origin policy so that only same‑origin requests can carry credentials.

Generated by OpenCVE AI on April 28, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.
Title OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-522
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T13:34:21.575Z

Reserved: 2026-04-20T14:05:09.184Z

Link: CVE-2026-41345

cve-icon Vulnrichment

Updated: 2026-04-24T13:34:16.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:41.147

Modified: 2026-04-28T18:56:28.280

Link: CVE-2026-41345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses