GHSA-xmxx-7p24-h892
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xmxx-7p24-h892
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmxx-7p24-h892/GHSA-xmxx-7p24-h892.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xmxx-7p24-h892
- Aliases
-
- CVE-2026-43585
- Downstream
- Published
- 2026-04-17T22:32:02Z
- Modified
- 2026-05-12T17:10:16.424233Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
- Details
-
Summary
Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.
Impact
A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.
Affected versions
- Affected:
< 2026.4.15 - Patched:
2026.4.15
Fix
OpenClaw
2026.4.15resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.Verified in
v2026.4.15:src/gateway/server.impl.tsexposesgetResolvedAuth()backed by the current runtime secret snapshot.src/gateway/server-http.tscallsgetResolvedAuth()for each HTTP request and WebSocket upgrade before running auth checks.src/gateway/server-http.probe.test.tsverifies/readyre-resolves bearer auth after rotation and rejects the old token.
Fix commit included in
v2026.4.15and absent fromv2026.4.14:acd4e0a32f12e1ad85f3130f63b42443ce90f094via PR #66651
Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.
- Affected:
- Database specific
{ "cwe_ids": [ "CWE-324", "CWE-672" ], "github_reviewed": true, "github_reviewed_at": "2026-04-17T22:32:02Z", "nvd_published_at": null, "severity": "CRITICAL" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892
- https://nvd.nist.gov/vuln/detail/CVE-2026-43585
- https://github.com/openclaw/openclaw/pull/66651
- https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw