Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1015

NIXPKGS-2026-1015
published on
Permalink CVE-2026-40037
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 6 days ago
  • @LeSuisse accepted 2 weeks, 6 days ago
  • @LeSuisse published on GitHub 2 weeks, 6 days ago
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects

OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.

Affected products

OpenClaw
  • ==2026.4.8
  • <2026.3.31

Matching in nixpkgs

Package maintainers