Main Vulnerability Database Vulnerabilities #VU132708

Information disclosure in OpenClaw - #VU132708

Published: May 29, 2026

Vulnerability identifier: #VU132708

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in MCP Streamable HTTP redirect handling when processing cross-origin redirects from a configured MCP endpoint. A remote user can cause a malicious or compromised MCP endpoint to redirect to another origin to disclose sensitive information.

This issue is limited to MCP Streamable HTTP servers configured with custom headers, and the exposed data is limited to those configured headers.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh

Information disclosure in OpenClaw - #VU132708

Detailed vulnerability description

Remediation

Sources

Please verify you're human