PatchSiren cyber security CVE debrief
CVE-2026-53840 OpenClaw CVE debrief
CVE-2026-53840 is an information disclosure vulnerability in OpenClaw before 2026.5.12. The vulnerability affects streamable-http MCP servers that forward user-configured custom headers during cross-origin redirects. This allows attackers controlling or compromising an MCP endpoint to redirect requests and exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins. The CVSS score for this vulnerability is 6, indicating a medium severity.
- Vendor
- OpenClaw
- Product
- Unknown
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of OpenClaw before version 2026.5.12 should be aware of this vulnerability and take steps to mitigate it. Specifically, those who have configured custom headers in their streamable-http MCP servers are at risk.
Technical summary
The vulnerability is caused by the forwarding of user-configured custom headers during cross-origin redirects in streamable-http MCP servers. This allows sensitive information to be exfiltrated to attacker-controlled origins.
Defensive priority
High
Recommended defensive actions
- Upgrade to OpenClaw version 2026.5.12 or later
- Review and remove any unnecessary custom headers in streamable-http MCP servers
- Implement additional security measures to protect sensitive headers
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found in the source references [ref-4] and [ref-5].
Official resources
CVE-2026-53840 was published on 2026-06-16T19:17:00.863Z and modified on 2026-06-16T20:42:46.200Z.