3 matches found
CVE-2026-54673
The CVE affects electron-updater (builder-util-runtime component) prior to version 9.7.0. The root cause is that HttpExecutor.prepareRedirectUrlOptions only stripped a credential header named exactly the lowercase string “authorization.” Other credential-bearing headers, notably PRIVATE-TOKEN and...
CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...
PT-2026-27245
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.7 Description OpenClaw’s fetchWithSsrFGuard... function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a...