CVE-2026-53840: Sensitive Header Leakage via Cross-Origin Redirects in OpenClaw MCP Servers

OpenClaw leverages Model Context Protocol (MCP) servers to coordinate and orchestrate remote execution environments. A principal method for this communication is the streamable-http transport layer. This layer allows system operators to configure custom HTTP headers, such as credentials, tenant identifiers, and cryptographic keys, ensuring proper routing and authentication. These parameters are stored in the application's configuration under the mcp.servers.*.headers block.

When a request is initiated from OpenClaw to a remote MCP server, the underlying HTTP client automatically appends these custom headers to the outbound request envelope. However, the client is configured to follow HTTP redirection instructions natively. In versions of OpenClaw prior to 2026.5.12, the transport layer did not assess whether the destination target specified in a redirect response matched the original host origin.

This behavior exposes a cross-origin credential leakage vulnerability classified under CWE-522 (Insufficiently Protected Credentials). The primary attack surface exists anywhere an operator integrates an external, untrusted, or multi-tenant streamable-http MCP server with custom authentication configurations. By failing to strip headers during origin shifts, the software allows unauthorized third parties to capture active credentials.

The root cause of CVE-2026-53840 is an operational deficiency in the HTTP redirect validation logic of the OpenClaw client-side streamable-http transport layer. In Node.js environments, standard HTTP clients such as Axios or native Fetch API configurations may follow HTTP status codes in the 3xx range (such as 301, 302, 307, or 308) automatically. When doing so, they often carry forward the initial request headers to the new destination.

To prevent information disclosure, security specifications require that HTTP clients perform an origin comparison check prior to dispatching redirected requests. Specifically, if the protocol, hostname, or port of the target redirect URL deviates from the initial destination, any custom or authorization headers must be purged. The OpenClaw client failed to execute this check, resulting in the preservation of custom-configured headers across distinct HTTP origins.

This flaw is especially critical because the headers defined in mcp.servers are frequently high-value secrets, such as API keys or bearer tokens. The vulnerability does not leak the global administrative credentials of the OpenClaw application itself. Instead, it exposes the custom-defined credentials linked to the compromised or malicious streamable-http configuration.

To understand the implementation flaw, consider the representative JavaScript/TypeScript code path managing MCP connections. Prior to the patch, the application initialized HTTP requests using standard fetch parameters where automatic redirection was permitted without interceptor logic.

// Vulnerable Implementation (Before 2026.5.12)
async function fetchMcpData(mcpConfig: McpConfig, endpoint: string) {
  const targetUrl = new URL(endpoint, mcpConfig.baseUrl);
  const response = await fetch(targetUrl.toString(), {
    method: 'GET',
    headers: {
      ...mcpConfig.headers, // Includes sensitive custom API tokens
      'Accept': 'application/json'
    },
    redirect: 'follow' // Automatically follows redirects retaining all headers
  });
  return response.json();
}

The configuration redirect: 'follow' delegates redirectional control entirely to the runtime's engine, which does not perform cross-origin sanitization on custom header properties. To remedy this flaw in version 2026.5.12, the development team updated the client to manage redirections manually. By changing the redirection strategy to manual, the client intercepts the redirect, inspects the target origin, and sanitizes the headers prior to initiating the subsequent call.

// Patched Implementation (In 2026.5.12)
async function fetchMcpDataPatched(mcpConfig: McpConfig, endpoint: string) {
  const initialUrl = new URL(endpoint, mcpConfig.baseUrl);
  let currentUrl = initialUrl;
  let headers = { ...mcpConfig.headers, 'Accept': 'application/json' };
  
  let response = await fetch(currentUrl.toString(), {
    method: 'GET',
    headers: headers,
    redirect: 'manual' // Handle redirections explicitly
  });
 
  if ([301, 302, 303, 307, 308].includes(response.status)) {
    const location = response.headers.get('location');
    if (location) {
      const redirectUrl = new URL(location, currentUrl);
      
      // Enforce cross-origin validation check
      if (redirectUrl.origin !== initialUrl.origin) {
        // Strip sensitive credentials on origin mismatch
        for (const sensitiveHeader of Object.keys(headers)) {
          if (isSensitiveHeader(sensitiveHeader)) {
            delete headers[sensitiveHeader];
          }
        } 
      }
      
      response = await fetch(redirectUrl.toString(), {
        method: 'GET',
        headers: headers,
        redirect: 'manual'
      });
    }
  }
  return response.json();
}
 
function isSensitiveHeader(headerName: string): boolean {
  const normalized = headerName.toLowerCase();
  const sensitivePatterns = ['auth', 'token', 'key', 'cookie', 'x-tenant'];
  return sensitivePatterns.some(pattern => normalized.includes(pattern));
}

Exploitation of CVE-2026-53840 requires a pre-existing trust configuration within the target OpenClaw system. The administrator must have registered a remote streamable-http MCP server that utilizes custom headers. The attacker must either directly control this registered MCP endpoint or successfully compromise it to intercept and manipulate its HTTP responses.

When OpenClaw makes an automated outbound API call to the configured MCP endpoint, the attacker's server responds with an HTTP redirect status code, such as 302 Found. The response includes a Location header pointing to an external destination under the attacker's administrative control. Because of the client-side flaw, OpenClaw follows this instruction and transmits the initial custom header set directly to the attacker's server.

The credential capture is silent and automated. Once the attacker extracts the token from the incoming headers on their listener server, they gain unauthorized access to the third-party service or routing gateway that the credentials were originally configured to authenticate against.

The potential consequences of CVE-2026-53840 depend entirely on the scope and privilege of the credentials stored within the mcp.servers configuration. Because these custom headers typically authenticate requests to remote execution environments, compromise of these credentials could lead to unauthorized API access, data exposure, or lateral movement within the connected systems.

CVSS 4.0 rates this vulnerability with a base score of 6.0 (Medium), reflecting a network attack vector with low complexity. The primary requirement is the configuration of an affected remote server. While the integrity and availability of the OpenClaw service itself are not directly degraded, the confidentiality impact on the targeted external secrets is high.

No public proof-of-concept exploits exist, and the vulnerability is not currently cataloged in the CISA Known Exploited Vulnerabilities registry. However, because credential theft represents a reliable technique for initial access and persistence, organizations employing streamable-http MCP instances should prioritize remediation to avoid potential key leakage.

The definitive remediation for CVE-2026-53840 is upgrading the OpenClaw installation to version 2026.5.12 or newer. If immediate patching is not possible, operators using versions 2026.5.8 or higher can utilize early security adjustments implemented in those intermediary releases. This mitigates the immediate risks associated with automatic redirection forwarding.

In addition to upgrading, system administrators should conduct a comprehensive audit of all remote MCP connections configured under mcp.servers. Any custom headers used in conjunction with streamable-http configurations prior to the patch must be treated as potentially compromised. These credentials must be rotated immediately to invalidate any keys that may have been leaked.

Detection can be accomplished by analyzing outbound network traffic from the OpenClaw environment. Security teams should monitor for HTTP 3xx redirection responses originating from internal or external MCP endpoints that resolve to third-party domains. Any outbound request following a redirect that retains Authorization or custom headers should be flagged as an indicator of exposure.