CVE-2026-45005

MEDIUM NVD

CVSS Score 6

Severity MEDIUM

Published May 11, 2026

Vendor unknown

Description

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

References

https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation