What happened
CVE-2026-53840 (CVSS 7.1 HIGH) was published 2026-06-16. OpenClaw before version 2026.5.12 does not strip operator-configured custom headers when following cross-origin redirects from MCP endpoints. An attacker who controls an MCP server can redirect agent requests to an arbitrary origin and collect the forwarded headers, which may include authentication tokens or API keys used by the agent operator.
Why it matters
MCP is the primary protocol for connecting AI agents to external tools and data sources. Header exfiltration via redirect is particularly dangerous in agentic pipelines because operators routinely inject authentication credentials as custom headers — a single compromised or malicious MCP server can thus harvest all operator credentials silently, without any visible action by the agent. This is a novel credential-theft vector specific to the MCP agent ecosystem.
Attack vector
An attacker who controls or has compromised an MCP server endpoint issues an HTTP redirect. OpenClaw's streamable-HTTP transport forwards operator-configured custom headers (including Authorization, API keys, or session tokens) in the redirected request to the attacker's destination server, exfiltrating sensitive credentials.
Affected systems
OpenClaw < 2026.5.12 (streamable-http MCP server transport)
Mitigation
Upgrade OpenClaw to version 2026.5.12 or later. Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh