PT-2026-27245 · Openclaw · Openclaw
Elvin Latifli
·
Published
2026-03-09
·
Updated
2026-04-07
·
CVE-2026-32913
CVSS v3.1
9.3
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.7
Description
OpenClaw’s
fetchWithSsrFGuard(...) function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a different origin. This can expose sensitive credentials intended only for the original destination. The issue stems from using a narrow denylist of headers to block during redirects, instead of a safe allowlist. This allows an attacker who can trigger a redirect across origins to potentially receive these custom authorization credentials.Recommendations
Versions prior to 2026.3.7 should be updated to version 2026.3.7 or later.
Fix
Incomplete List of Disallowed Inputs
Insufficiently Protected Credentials
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw