PT-2026-39694 · Openclaw · Openclaw
Feynman-Hou
·
Published
2026-05-05
·
Updated
2026-05-11
·
CVE-2026-45005
CVSS v3.1
6.0
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.23
Description
The software caches resolved webhook route secrets backed by
SecretRef values. This behavior allows stale secrets to remain valid even after they have been rotated and reloaded. Consequently, an attacker possessing previously valid webhook route secrets can continue to authenticate requests and invoke configured webhook task flows until the gateway or plugin is restarted.Recommendations
Update to version 2026.4.23 or later.
As a temporary workaround, restart the gateway or plugin to clear the cached secrets.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw