CVE-2026-32913

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.7

Description OpenClaw’s fetchWithSsrFGuard(...) function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a different origin. This can expose sensitive credentials intended only for the original destination. The issue stems from using a narrow denylist of headers to block during redirects, instead of a safe allowlist. This allows an attacker who can trigger a redirect across origins to potentially receive these custom authorization credentials.

Recommendations Versions prior to 2026.3.7 should be updated to version 2026.3.7 or later.