A critical header validation vulnerability in OpenClaw allows attackers to intercept sensitive API keys and authorization tokens by triggering cross-origin redirects.

The fetchWithSsrFGuard function contains an improper header validation flaw. When a request is redirected to a different origin, the system fails to strip sensitive custom headers (e.g., X-Api-Key, Private-Token), forwarding them to the new, potentially malicious destination.

The leakage of administrative API keys and private tokens can lead to full account takeover and unauthorized access to the OpenClaw environment. Attackers can intercept these credentials by inducing a redirect to a server they control. With a CVSS score of 9.3, this vulnerability represents a critical risk to the confidentiality of system credentials and integrated third-party services.

Immediate Action: Update OpenClaw to version 2026.3.7 or later to ensure that sensitive headers are properly stripped during cross-origin redirects.

Proactive Monitoring: Review logs for unusual outbound requests or redirects to unknown domains, especially those initiated by automated processes or internal fetch functions.

Compensating Controls: Rotate all API keys and private tokens that may have been exposed through cross-origin requests prior to the patch application.

Public Exploit Available: false

The exposure of authentication secrets is a critical security failure. It is imperative to update OpenClaw to the patched version immediately. Furthermore, security teams should treat any existing API keys as potentially compromised and perform a full credential rotation after the update is complete.