CVE-2026-53840

描述

### Summary OpenClaw supports remote MCP Streamable HTTP servers with operator-configured custom headers. In affected releases, those headers could be forwarded when the MCP endpoint responded with a cross-origin redirect. This issue is limited to configured MCP Streamable HTTP servers that use custom headers. It does not expose unrelated OpenClaw credentials. ### Affected configurations This affects deployments where an MCP server is configured with: - `transportType: "streamable-http"` - sensitive custom headers under `mcp.servers.*.headers` - an MCP endpoint that is malicious, compromised, or able to redirect to another origin ### Impact Custom MCP headers, such as API keys or tenant-routing headers, could be sent to the redirect target. The exposed credential scope depends on the header the operator configured for that MCP server. ### Patched Versions The first stable patched version is `2026.5.12`. ### Mitigations Upgrade to `[email protected]` or later. Before upgrading, avoid custom MCP headers with servers you do not fully trust, and rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.

如何修補 CVE-2026-53840

要修補 CVE-2026-53840,請將受影響套件升級到下列已修補版本。

• —升級至 2026.5.12 或更新版本

CVE-2026-53840 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-53840 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 2026.5.12

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-53840
• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh
• WEBwww.vulncheck.com/advisories/openclaw-custom-header-leakage-via-mcp-streamable-http-cross-origin-redirects