OpenClaw versions prior to 2026.4.23 cache webhook route secrets that are backed by SecretRef values. This is a CWE-672: accidental disclosure of sensitive information due to failure to invalidate cached secrets. The cache is not cleared when those secrets are rotated or reloaded, so an attacker who already possesses a valid secret can continue to authenticate webhook requests and trigger configured task flows, even after the secret has been changed by the legitimate owner. This flaw allows prolonged unauthorized use of the webhook API, potentially leading to data leakage or unauthorized execution of workflow tasks.

The vulnerability affects OpenClaw OpenClaw software versions earlier than 2026.4.23. No specific downstream products are listed, but any deployment of the affected OpenClaw release that exposes webhook routing and uses SecretRef based secrets is impacted.

The CVSS score of 5.9 indicates a moderate impact. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers acquire the flaw by possessing a previously valid webhook secret; they must then make webhook calls that use that secret, which will still be accepted until the gateway or plugin is restarted. No additional conditions or elevated privileges are required beyond secret possession. The vulnerability can be exploited remotely via the webhook endpoint, and it may enable attackers to perform repeated malicious task executions until a system restart clears the stale cache.