Description
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits leakage of operator-configured custom headers during streamable-http MCP server redirects. Attackers who can control or compromise an MCP endpoint can redirect client requests to attacker-controlled origins, thereby exfiltrating sensitive header values such as API keys or tenant-routing credentials. This information disclosure is identified as CWE-522 and can lead to credential compromise or unauthorized access depending on the exposed header content.

Affected Systems

Users running OpenClaw versions older than 2026.5.12 are affected. The vulnerability is present in all releases before 2026.5.12 of the OpenClaw product, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to have control over an MCP endpoint to inject redirects and capture custom headers; once achieved, header values can be exfiltrated to an external origin. The exposure is remote and does not require local system compromise, making it potentially attractive to attackers with partial control over the MCP service.

Generated by OpenCVE AI on June 17, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.5.12 or later to eliminate header forwarding during redirects.
  • Restrict MCP endpoint access to trusted users or networks to prevent unauthorized redirect configuration.
  • Disable or remove operator-configured custom headers when possible to reduce exfiltration risk.

Generated by OpenCVE AI on June 17, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rjxq-qqhf-8hwh OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
History

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
Title OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streamable HTTP Cross-Origin Redirects
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-522
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T18:51:19.624Z

Reserved: 2026-06-10T21:19:32.651Z

Link: CVE-2026-53840

cve-icon Vulnrichment

Updated: 2026-06-16T18:51:11.200Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:00.863

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:30:12Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials