Openclaw · Openclaw · CVE-2026-32913
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions prior to 2026.3.7
**Description**
OpenClaw’s `fetchWithSsrFGuard(...)` function improperly validates headers during cross-origin redirects, allowing custom authorization headers like `X-Api-Key` and `Private-Token` to be forwarded to a different origin. This can expose sensitive credentials intended only for the original destination. The issue stems from using a narrow denylist of headers to block during redirects, instead of a safe allowlist. This allows an attacker who can trigger a redirect across origins to potentially receive these custom authorization credentials.
**Recommendations**
Versions prior to 2026.3.7 should be updated to version 2026.3.7 or later.