CVE-2026-53840

Summary

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.5.12affected
OpenClawOpenClaw2026.5.12unaffected

Weaknesses

  • CWE-522: Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References