Webhook Route Secret Caching Issue in OpenClaw
CVE-2026-45005

5.9MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-45005?

OpenClaw versions prior to 2026.4.23 contain a flaw where resolved webhook route secrets backed by SecretRef values are cached. This vulnerability allows previously valid webhook route secrets to remain effective even after they have been rotated and reloaded. As a result, attackers who possess these old secrets can continue to authenticate their requests and trigger configured webhook task flows. To mitigate risks associated with this vulnerability, a restart of the gateway or plugin is essential.

Affected Version(s)

OpenClaw 0 < 2026.4.23

OpenClaw 2026.4.23

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/36c4a372a0ad5...

patch

https://www.vulncheck.com/advisories/openclaw-webhook-rou...

third-party-advisory

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

侯海飞 (@feynman-hou)

CVE-2026-45005 Data

JSON