CVE-2026-45005

OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation

CVSS 5.9 MEDIUMEPSS 0.3%CWE-672

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.9EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

11 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Affected products

OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9 https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation