CVE-2026-53840: OpenClaw Information Disclosure Vulnerability

CVE-2026-53840 Overview

CVE-2026-53840 is an information disclosure vulnerability in OpenClaw versions prior to 2026.5.12. The flaw resides in streamable-http Model Context Protocol (MCP) servers, which forward operator-configured custom headers during cross-origin redirects. An attacker who controls or compromises an MCP endpoint can issue redirects that route requests to attacker-controlled origins, causing sensitive headers such as API keys and tenant-routing credentials to be exfiltrated. The issue is tracked under [CWE-522: Insufficiently Protected Credentials].

Critical Impact

Attackers controlling an MCP endpoint can harvest API keys, bearer tokens, and tenant-routing credentials sent through OpenClaw's streamable-http client via cross-origin redirects.

Affected Products

• OpenClaw versions before 2026.5.12 (Node.js distribution)
• OpenClaw 2026.5.12 beta releases beta1 through beta8
• Deployments using streamable-http MCP servers with operator-configured custom headers

Discovery Timeline

• 2026-06-16 - CVE-2026-53840 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53840

Vulnerability Analysis

OpenClaw's streamable-http MCP client allows operators to attach custom HTTP headers to outbound requests. These headers commonly carry authentication material such as Authorization bearer tokens, X-API-Key values, and tenant-routing identifiers. When the remote MCP server responds with an HTTP redirect, the client follows that redirect and forwards the original custom headers, even when the redirect target resides on a different origin.

This behavior violates the principle that credentials scoped to one origin should not be transmitted to another. A malicious or compromised MCP endpoint can return a 3xx response pointing to an attacker-controlled host and receive the operator's headers verbatim. The vulnerability is network-reachable and requires only that the operator configure sensitive headers, which is the documented usage pattern for authenticated MCP servers.

Root Cause

The root cause is missing origin-aware filtering in the HTTP redirect handler. Industry-standard HTTP clients strip Authorization and other sensitive headers when a redirect crosses origin boundaries. OpenClaw's MCP transport forwarded all custom headers unconditionally, treating cross-origin redirects identically to same-origin ones. This is a classic credential exposure flaw mapped to [CWE-522].

Attack Vector

An attacker who operates a legitimate-looking MCP server, or who has compromised one already trusted by the operator, configures it to respond to client requests with a redirect such as HTTP/1.1 307 Temporary Redirect pointing to https://attacker.example/collect. The OpenClaw client follows the redirect and replays every operator-configured header, including secrets. The attacker logs the inbound request and extracts credentials. No user interaction is required beyond the operator's normal use of the MCP integration. See the VulnCheck Security Advisory for additional technical detail.

Detection Methods for CVE-2026-53840

Indicators of Compromise

• Outbound HTTP 3xx responses from configured MCP endpoints pointing to domains outside the expected vendor allowlist.
• Unexpected requests carrying Authorization, X-API-Key, or tenant-routing headers reaching hosts not previously seen in MCP traffic baselines.
• OpenClaw process logs showing redirect chains that terminate on newly registered or low-reputation domains.

Detection Strategies

• Inspect egress proxy logs for OpenClaw user-agent traffic that crosses origin boundaries after an MCP server response.
• Compare destination hosts in redirect chains against an allowlist of approved MCP service providers.
• Alert when sensitive header names appear in TLS-decrypted traffic destined for hosts other than the originally configured MCP endpoint.

Monitoring Recommendations

• Enable verbose HTTP client logging in OpenClaw deployments to capture redirect targets and review them during incident triage.
• Rotate and monitor any API keys or tokens configured as MCP custom headers, watching authentication logs for use from unexpected IP ranges.
• Aggregate OpenClaw network telemetry into a centralized analytics platform and alert on first-seen destinations following 3xx responses.

How to Mitigate CVE-2026-53840

Immediate Actions Required

• Upgrade OpenClaw to version 2026.5.12 or later, which removes custom headers on cross-origin redirects.
• Inventory all OpenClaw MCP integrations and identify which custom headers carry credentials.
• Rotate any API keys, bearer tokens, or tenant identifiers that have been configured as MCP custom headers, treating them as potentially exposed.
• Restrict outbound network access from OpenClaw hosts to an explicit allowlist of trusted MCP endpoints.

Patch Information

The maintainers released the fix in OpenClaw 2026.5.12 (stable). Beta releases 2026.5.12-beta1 through 2026.5.12-beta8 remain vulnerable and must not be deployed. Patch details are published in the OpenClaw GitHub Security Advisory GHSA-rjxq-qqhf-8hwh.

Workarounds

• Remove sensitive credentials from MCP custom header configurations until the patched version is deployed.
• Front OpenClaw with an egress proxy that strips Authorization and other secret headers when the destination host does not match the original request host.
• Disable use of streamable-http MCP servers that are not fully controlled by the operator, or pin connections to specific hostnames with strict DNS controls.