CVE Catalog

CVE-2026-53840

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers can exploit this vulnerability to exfiltrate sensitive headers like API keys or tenant-routing credentials.

Risk Assessment

Organizations may be exposed to the theft of sensitive information, potentially leading to unauthorized access to systems and data. Disclosure of such information can result in serious financial and reputational consequences.

Recommendation

It is recommended to update OpenClaw to version 2026.5.12 or later to mitigate this vulnerability. Additionally, conducting an audit of MCP server configurations is advisable to minimize the risk of sensitive header disclosure.

Original NVD description (English source)

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS