8 matches found
CVE-2026-53830
OpenClaw prior to 2026.4.22 is affected by a webhook secret revocation bypass. The vulnerability lets callers with old Slack/Zalo webhook secrets remain active after secrets.reload, enabling delivery of webhook events during the stale-secret window and potentially accepting previous credentials. ...
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-45005
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until...
Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to...
GHSA-V8J2-5F9P-FMH4 Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to...
CVE-2026-45005
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until...
CVE-2026-45005 OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until...
CVE-2026-45005
OpenClaw