js · openclawCritical
OpenClaw MCP Streamable HTTP Server Custom Header Forwarding on Redirect
OpenClaw MCP Streamable HTTP servers with custom headers could forward those headers to a redirect target when the MCP endpoint responds with a cross-origin red
What changed
OpenClaw MCP Streamable HTTP servers with custom headers could forward those headers to a redirect target when the MCP endpoint responds with a cross-origin redirect.
Who it affects
Deployments where an MCP server is configured with transportType 'streamable-http', sensitive custom headers under mcp.servers.*.headers, and an MCP endpoint that is malicious, compromised, or able to redirect to another origin.
What to do today
Upgrade to [email protected] or later; rotate any MCP-specific credentials that may have been exposed by a redirecting endpoint.
The trail
Collected→
Audited→
Written→
Published