CVE-2026-53840

Published: Giu 16, 2026 Last Modified: Giu 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,0

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 7,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: low

Availability: none

Description

AI Translation Available

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

522

Insufficiently Protected Credentials

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Gain Privileges Or Assume Identity

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, ICS/OT

View CWE Details

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh

https://www.vulncheck.com/advisories/openclaw-custom-header…

https://www.vulncheck.com/advisories/openclaw-custom-header-leakage-via-mcp-str…

CVE-2026-53840

Description

Insufficiently Protected Credentials

Common Consequences

Applicable Platforms

Iscriviti alla newsletter