⚠ Withdrawn by GitHub Security Advisories
Withdrawn: May 18, 2026
GHSA-v8j2-5f9p-fmh4MediumCVSS 6.0Disclosed before NVD
Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
📋 Description
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.
🎯 Affected products1
- npm/openclaw:< 2026.4.23
🔗 References (5)
- https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
- https://nvd.nist.gov/vuln/detail/CVE-2026-45005
- https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
- https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation
- https://github.com/advisories/GHSA-v8j2-5f9p-fmh4