OpenClaw Media Download Exposes Authorization Headers in Redirects

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.3

OpenClaw Media Download Exposes Authorization Headers in Redirects

GHSA-68v4-hmwv-f43h

Summary

A security issue in OpenClaw version 2026.3.28 and earlier allows attackers to steal sensitive information when a user downloads media from a different website. This is a medium-risk vulnerability that can be fixed by updating to version 2026.3.31 or later. We recommend updating to the latest version of OpenClaw to protect your users' data.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.31	2026.3.31

Original title

OpenClaw: Media download follows cross-origin redirects with Authorization headers intact

Original description

## Summary
Media download follows cross-origin redirects with Authorization headers intact

## Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00

OpenClaw thanks @AntAISecurityLab for reporting.

osv CVSS4.0 8.3

Vulnerability type

CWE-522 Insufficiently Protected Credentials

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026