OpenClaw Improper Header Validation Vulnerability in FetchWithSsrFGuard Allowing Custom Authorization Header Leakage via Cross-Origin Redirects
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.3.7, specifically within the fetchWithSsrFGuard function. This vulnerability involves improper validation of headers, allowing custom authorization headers to be forwarded across cross-origin redirects. Attackers can exploit this by redirecting to different origins to intercept sensitive headers such as X-Api-Key and Private-Token, which are intended for the original destination.
Impact
Exploitation of this vulnerability allows for the interception of custom authorization headers, including API keys and private tokens, by a remote service that can trigger cross-origin redirects.
Reproduction
The vulnerability can be reproduced by sending a request with custom authorization headers such as X-Api-Key or Private-Token. The request should be directed to a resource that will perform a cross-origin redirect. Upon following the redirect, the custom headers will be forwarded to the new origin, allowing interception of the sensitive information.
Remediation
Users can update to OpenClaw version 2026.3.7 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.