CVE-2026-32913

CRITICAL9.3EPSS 0.04%

OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects

發布日:2026/3/9修改日:2026/3/30

描述

OpenClaw's `fetchWithSsrFGuard(...)` followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (`Authorization`, `Proxy-Authorization`, `Cookie`, `Cookie2`). This allowed custom authorization headers such as `X-Api-Key`, `Private-Token`, and similar sensitive headers to be forwarded to a different origin after a redirect. The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.2` - Patched version: `2026.3.7` - Latest published npm version at patch time: `2026.3.2` ## Impact A remote service that could trigger a redirect across origins could receive custom authorization credentials attached by OpenClaw callers. This can expose API keys, bearer-style custom headers, or private token headers intended only for the original destination. ## Fix Commit(s) - `46715371b0612a6f9114dffd1466941ac476cef5` ## Verification - `pnpm check` passed - `pnpm test:fast` passed - Focused redirect regression tests passed - `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts` ## Release Process Note npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package. Thanks @Rickidevs for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N
osvCVSS 3.1CRITICAL9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

參考連結(6)