CVE-2026-45005: OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation

Published May 11, 2026
·
Updated

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

Affected Software

2 affected components
OpenClaw<2026.4.23
OpenClaw Openclaw Node.js<2026.4.23

Remediation

Patch Available

https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa

Patch Available

https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation

Event History

May 11, 2026
CVE Published
via MITRE·04:46 PM
Data Sourced
via MITRE·04:46 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-45005?

CVE-2026-45005 is considered to have a medium severity due to the risk of unauthorized access via stale webhook route secrets.

2

How do I fix CVE-2026-45005?

To fix CVE-2026-45005, upgrade to OpenClaw version 2026.4.23 or later to ensure the webhook route secret cache is invalidated after rotation.

3

What are the potential impacts of CVE-2026-45005?

The potential impacts of CVE-2026-45005 include unauthorized access to webhook functionalities by using previously valid secrets.

4

What systems are affected by CVE-2026-45005?

CVE-2026-45005 affects all versions of OpenClaw prior to 2026.4.23 that utilize cached webhook route secrets.

5

How does CVE-2026-45005 allow attackers to exploit the system?

CVE-2026-45005 allows attackers to exploit the system by leveraging previously valid webhook route secrets that are not invalidated after rotation.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203