GHSA-q8ff-7ffm-m3r9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q8ff-7ffm-m3r9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q8ff-7ffm-m3r9/GHSA-q8ff-7ffm-m3r9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q8ff-7ffm-m3r9
- Aliases
-
- CVE-2026-45005
- Downstream
- Published
- 2026-05-05T18:42:51Z
- Modified
- 2026-05-19T16:00:10.553685080Z
- Severity
-
- 6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
- Summary
- OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
- Details
-
Summary
OpenClaw webhooks allowed route secrets to be backed by
SecretRefvalues, but cached the resolved secret for a route. After an operator rotated the underlying secret and ranopenclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.Impact
An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart.
Affected Packages / Versions
- Package:
openclawon npm - Affected: versions before
2026.4.23 - Fixed:
2026.4.23 - Latest stable verified fixed:
openclaw@2026.4.23, tagv2026.4.23
Fix
Webhook route authentication now resolves
SecretRef-backed route secrets on each request. A rotated secret becomes effective afteropenclaw secrets reloadwithout requiring a gateway or plugin restart, and the old secret is rejected.Fix Commit(s)
36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa(fix(webhooks): reload route secrets per request)
Severity
Severity remains
medium. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation. - Package:
- Database specific
{ "github_reviewed_at": "2026-05-05T18:42:51Z", "nvd_published_at": null, "cwe_ids": [ "CWE-613" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
- https://nvd.nist.gov/vuln/detail/CVE-2026-45005
- https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw