CVE-2026-45005
Last modified
CVE-2026-45005 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.4.23 |
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9Third Party Advisory
- https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotationPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-45005?
How severe is CVE-2026-45005?
How do I fix CVE-2026-45005?
Are you affected by CVE-2026-45005?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST