CVE-2026-40037
MEDIUM WAF: Medium
CVSS 6.5
Published: 2026-04-08
CWE-601
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.4.8 |
References
- github.com (Patch)
- github.com (Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)