CVE-2026-32913: OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
(updated )
OpenClaw’s fetchWithSsrFGuard(...) followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (Authorization, Proxy-Authorization, Cookie, Cookie2). This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive headers to be forwarded to a different origin after a redirect.
The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change.
References
- github.com/advisories/GHSA-6mgf-v5j7-45cr
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5
- github.com/openclaw/openclaw/releases/tag/v2026.3.7
- github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr
- nvd.nist.gov/vuln/detail/CVE-2026-32913
Code Behaviors & Features
Detect and mitigate CVE-2026-32913 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →