Description
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.
Published: 2026-06-12
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before 2026.4.22 contains a flaw that lets attackers keep using old Slack and Zalo webhook secrets even after the system performs a secrets.reload, which is intended to revoke previously issued credentials. The vulnerability enables malicious actors to deliver webhook events during the brief window when the stale secrets are still accepted, effectively allowing them to bypass the operator‑expected revocation and potentially gain unauthorized access to the system.

Affected Systems

OpenClaw (OpenClaw) versions older than 2026.4.22 are affected.

Risk and Exploitability

This issue is rated with a CVSS score of 6, indicating moderate severity. The EPSS score is not available, meaning current data does not quantify likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit it by sending webhook payloads from a Slack or Zalo integration that still carries a revoked secret. The likely attack vector is remote, with an adversary needing only to produce a valid webhook event to bypass the revocation logic – a condition that can be met without any privileged account or system discovery.

Generated by OpenCVE AI on June 12, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.22 or later to obtain the patch that fixes the webhook secret revocation logic.
  • After upgrading, generate new webhook secrets and immediately revoke and delete any old secrets that may still be in circulation.
  • Implement monitoring to detect webhook events that use revoked or out‑of‑date secrets and alert administrators if such attempts occur.

Generated by OpenCVE AI on June 12, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.
Title OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-613
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-12T21:56:55.771Z

Reserved: 2026-06-10T21:16:58.211Z

Link: CVE-2026-53830

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:54.490

Modified: 2026-06-12T22:16:54.490

Link: CVE-2026-53830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:45:26Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration