Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

GHSA-v8j2-5f9p-fmh4

Published May 11, 2026 · Modified May 18, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45005
WEB https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes