PT-2026-39694 · Openclaw · Openclaw

Feynman-Hou

·

Published

2026-05-05

·

Updated

2026-05-11

·

CVE-2026-45005

CVSS v3.1

6.0

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.23
Description The software caches resolved webhook route secrets backed by SecretRef values. This behavior allows stale secrets to remain valid even after they have been rotated and reloaded. Consequently, an attacker possessing previously valid webhook route secrets can continue to authenticate requests and invoke configured webhook task flows until the gateway or plugin is restarted.
Recommendations Update to version 2026.4.23 or later. As a temporary workaround, restart the gateway or plugin to clear the cached secrets.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45005
GHSA-Q8FF-7FFM-M3R9
GHSA-V8J2-5F9P-FMH4

Affected Products

Openclaw