CVE-2026-40037

CVSS v4.0

7.4

High

Vector

AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.8

Description OpenClaw contains a request body replay vulnerability in the fetchWithSsrFGuard function that allows unsafe request bodies to be resent across cross-origin redirects. This could allow attackers to exfiltrate sensitive request data or headers to unintended origins.

Recommendations Update OpenClaw to version 2026.4.8 or later.

Fix

Open Redirect

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601CWE-345

Related Identifiers

CVE-2026-40037

GHSA-PG8G-F2HF-X82M

GHSA-QX8J-G322-QJ6M

Affected Products

Openclaw

CVE-2026-40037

Weakness Enumeration

Related Identifiers

Affected Products

References · 8