EXECUTIVE SUMMARY:
CVE-2026-53840 with a CVSS score of 7.1 is a vulnerability in the npm package OpenClaw that affects all releases prior to version, where the MCP Streamable HTTP transport can be configured to send custom headers to remote MCP servers. The flaw arises because OpenClaw does not properly sanitize or restrict the forwarding of operator‑defined headers when the remote MCP endpoint issues a cross‑origin HTTP redirect, causing the original custom headers—often containing API keys, tenant identifiers, or other sensitive routing information—to be automatically relayed to the attacker‑controlled destination. An adversary who controls or compromises an MCP server, or can induce a redirect from a legitimate server, can trigger the redirect by issuing a standard HTTP GET request; no authentication to the OpenClaw instance is required beyond the server’s willingness to accept the redirect. By capturing the forwarded headers, the attacker gains unauthorized access to backend services or can impersonate legitimate tenants, potentially leading to data leakage, unauthorized API usage, and compliance violations. Exploitation requires the presence of a configured MCP server with custom headers and a redirect‑capable endpoint, making the risk highest in environments that trust third‑party MCP services without strict header controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-53840 with a CVSS score of 7.1 is a vulnerability in the npm package OpenClaw that affects all releases prior to version, where the MCP Streamable HTTP transport can be configured to send custom headers to remote MCP servers. The flaw arises because OpenClaw does not properly sanitize or restrict the forwarding of operator‑defined headers when the remote MCP endpoint issues a cross‑origin HTTP redirect, causing the original custom headers—often containing API keys, tenant identifiers, or other sensitive routing information—to be automatically relayed to the attacker‑controlled destination. An adversary who controls or compromises an MCP server, or can induce a redirect from a legitimate server, can trigger the redirect by issuing a standard HTTP GET request; no authentication to the OpenClaw instance is required beyond the server’s willingness to accept the redirect. By capturing the forwarded headers, the attacker gains unauthorized access to backend services or can impersonate legitimate tenants, potentially leading to data leakage, unauthorized API usage, and compliance violations. Exploitation requires the presence of a configured MCP server with custom headers and a redirect‑capable endpoint, making the risk highest in environments that trust third‑party MCP services without strict header controls.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rjxq-qqhf-8hwh