CVE-2026-32913

Published: Mar 23, 2026 Last Modified: Mar 23, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: low

Availability: none

Description

AI Translation Available

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.

522

Insufficiently Protected Credentials

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Gain Privileges Or Assume Identity

Applicable Platforms

Technologies: ICS/OT, Not Technology-Specific, Web Based

View CWE Details

https://github.com/openclaw/openclaw/commit/46715371b0612a6…

https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac47…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr

https://vulncheck.com/advisories/openclaw-mar-custom-author…

https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leaka…

CVE-2026-32913

Description

Insufficiently Protected Credentials

Common Consequences

Applicable Platforms

Iscriviti alla newsletter