CVE-2026-32913

CRITICAL openclaw NVD

CVSS Score 9.3

Severity CRITICAL

Published Mar 23, 2026

Vendor openclaw

Description

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.

References

https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5
https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr
https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects