Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- When
- Where
- Global (internet)
- Category
- cyber_advisory · pip
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rjxq-qqhf-8hwh. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-16 21:31 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.