CVE-2026-53840: OpenClaw credential exfiltration

CISO Take

OpenClaw before 2026.5.12 forwards operator-configured custom HTTP headers—including API keys and tenant-routing credentials—verbatim to attacker-controlled origins when its streamable-http MCP server follows cross-origin redirects. Any AI agent deployment using OpenClaw to proxy calls to downstream LLM APIs or enterprise services via credentialed headers is at direct risk of full credential exposure, with only low-privilege access to an MCP endpoint required and no user interaction needed. The attack surface is expanding rapidly as MCP adoption grows across AI agent frameworks, and while there is no public exploit or KEV listing today, the technique requires only basic HTTP redirect manipulation—well within reach of opportunistic threat actors. Upgrade to OpenClaw 2026.5.12 or later immediately; as an interim measure, strip sensitive credentials from custom header configurations and restrict MCP server outbound traffic to an explicit allowlist of approved destinations.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

CVSS 7.1 High with low attack complexity, low privileges required, no user interaction, and network accessibility makes this readily weaponizable. The confidentiality impact is rated High (C:H), reflecting full credential exposure to any attacker who can influence redirect targets. In AI agent environments—where MCP servers routinely carry LLM provider API keys and enterprise service tokens—the blast radius extends well beyond the vulnerable host into downstream billing, data, and identity systems. Absence of a public exploit and KEV listing moderates immediate urgency, but the expanding MCP deployment surface and trivial exploitation mechanics warrant prompt remediation.

How does the attack unfold?

Initial Access

Adversary obtains low-privilege access to an OpenClaw MCP endpoint by compromising an agent API key or targeting a misconfigured MCP server exposed to the network.

AML.T0049

Redirect Injection

Adversary configures or injects a cross-origin redirect from a legitimate MCP resource endpoint to an attacker-controlled HTTPS server designed to log incoming headers.

AML.T0106

Credential Exfiltration

OpenClaw's streamable-http client follows the redirect and forwards all operator-configured custom headers—including API keys and tenant-routing credentials—verbatim to the attacker's server.

AML.T0025

Impact

Attacker leverages harvested credentials to make authenticated LLM API calls at victim cost, access or exfiltrate tenant data, or pivot laterally into enterprise services accepting the stolen tokens.

AML.T0083

Initial Access

Adversary obtains low-privilege access to an OpenClaw MCP endpoint by compromising an agent API key or targeting a misconfigured MCP server exposed to the network.

AML.T0049

Redirect Injection

Adversary configures or injects a cross-origin redirect from a legitimate MCP resource endpoint to an attacker-controlled HTTPS server designed to log incoming headers.

AML.T0106

Credential Exfiltration

OpenClaw's streamable-http client follows the redirect and forwards all operator-configured custom headers—including API keys and tenant-routing credentials—verbatim to the attacker's server.

AML.T0025

Impact

Attacker leverages harvested credentials to make authenticated LLM API calls at victim cost, access or exfiltrate tenant data, or pivot laterally into enterprise services accepting the stolen tokens.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I Low

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to 2026.5.12 or later—the only complete fix.
Workaround: Immediately audit and remove sensitive credentials from custom header configurations in MCP server setup; inject authentication at the destination service layer rather than via forwarded MCP headers.
Network controls: Restrict MCP server outbound HTTP traffic to an explicit allowlist of approved destination domains to block redirect-based exfiltration.
Detection: Monitor MCP server and reverse-proxy logs for cross-origin redirect chains; alert on outbound requests where authentication headers appear destined for unrecognized domains.
Credential rotation: If the exposure window is unclear, rotate all API keys and tokens that may have transited OpenClaw MCP custom headers.

How is it classified?

Data Leakage Data Extraction Auth Bypass Agent API Plugin AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operational controls

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-53840?

OpenClaw before 2026.5.12 forwards operator-configured custom HTTP headers—including API keys and tenant-routing credentials—verbatim to attacker-controlled origins when its streamable-http MCP server follows cross-origin redirects. Any AI agent deployment using OpenClaw to proxy calls to downstream LLM APIs or enterprise services via credentialed headers is at direct risk of full credential exposure, with only low-privilege access to an MCP endpoint required and no user interaction needed. The attack surface is expanding rapidly as MCP adoption grows across AI agent frameworks, and while there is no public exploit or KEV listing today, the technique requires only basic HTTP redirect manipulation—well within reach of opportunistic threat actors. Upgrade to OpenClaw 2026.5.12 or later immediately; as an interim measure, strip sensitive credentials from custom header configurations and restrict MCP server outbound traffic to an explicit allowlist of approved destinations.

Is CVE-2026-53840 actively exploited?

No confirmed active exploitation of CVE-2026-53840 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53840?

1. Patch: Upgrade OpenClaw to 2026.5.12 or later—the only complete fix. 2. Workaround: Immediately audit and remove sensitive credentials from custom header configurations in MCP server setup; inject authentication at the destination service layer rather than via forwarded MCP headers. 3. Network controls: Restrict MCP server outbound HTTP traffic to an explicit allowlist of approved destination domains to block redirect-based exfiltration. 4. Detection: Monitor MCP server and reverse-proxy logs for cross-origin redirect chains; alert on outbound requests where authentication headers appear destined for unrecognized domains. 5. Credential rotation: If the exposure window is unclear, rotate all API keys and tokens that may have transited OpenClaw MCP custom headers.

What systems are affected by CVE-2026-53840?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, MCP-based multi-agent systems, LLM API proxy layers, Multi-tenant AI platforms, Enterprise AI integration pipelines.

What is the CVSS score for CVE-2026-53840?

CVE-2026-53840 has a CVSS v3.1 base score of 7.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMCP-based multi-agent systemsLLM API proxy layersMulti-tenant AI platformsEnterprise AI integration pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

Exploitation Scenario

An adversary with low-privilege access to an OpenClaw MCP endpoint—obtained via a compromised agent API key or a publicly reachable misconfigured MCP server—configures a redirect from a legitimate MCP resource URL to an attacker-controlled HTTPS server. When OpenClaw's streamable-http client follows the redirect, it forwards all operator-configured custom headers verbatim, including LLM provider API keys and tenant-routing tokens. The attacker's server logs the incoming headers, capturing live credentials without any victim interaction. The adversary then uses these credentials to make authenticated LLM API calls at the victim's expense, enumerate or exfiltrate tenant-specific data, or pivot laterally into enterprise services that accept the stolen tokens.

Weaknesses (CWE)

CWE-522 Insufficiently Protected Credentials Primary

CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

[Architecture and Design] Use an appropriate security mechanism to protect the credentials.
[Architecture and Design] Make appropriate use of cryptography to protect the credentials.

Source: MITRE CWE corpus.