Description
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.
Published: 2026-05-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when OpenClaw captures the bearer‑auth configuration at startup and never re‑resolves it for each request. This allows tokens that have been revoked after a SecretRef rotation to continue to be accepted by the Gateway’s HTTP and WebSocket handlers. The attacker can therefore gain unauthorized access to the gateway, leaking or manipulating data, and potentially pivot into backend services. The weakness is a misuse of configuration state persistence, classified as CWE‑672.

Affected Systems

OpenClaw software versions before 2026.4.15, available for all platforms supported through the node.js stack. Versions after 2026.4.15 have the issue fixed.

Risk and Exploitability

The CVSS score of 9.2 marks this a high‑severity flaw. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by presenting a revoked bearer token over the gateway’s HTTP or WebSocket interface; no special privileges or internal access are required, implying a remote attack vector. The flaw persists as long as the gateway remains running with the stale configuration, making it a persistent risk until the application is updated or restarted.

Generated by OpenCVE AI on May 6, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.15 or newer to apply the configuration re‑resolution fix.
  • Restart the OpenClaw Gateway services immediately after installing the upgrade to clear any cached token state.
  • Verify that the SecretRef has been rotated and that the gateway no longer accepts revoked tokens by testing authentication with a known revoked token.

Generated by OpenCVE AI on May 6, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.
Title OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-672
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T13:53:33.902Z

Reserved: 2026-05-01T17:00:54.537Z

Link: CVE-2026-43585

cve-icon Vulnrichment

Updated: 2026-05-07T13:53:30.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T20:16:34.473

Modified: 2026-05-07T19:36:59.427

Link: CVE-2026-43585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:15:13Z

Weaknesses