GHSA-275c-xpvc-jgfw: OpenClaw: Slack/Zalo webhook secrets outlive rotation

GHSA-275c-xpvc-jgfw MEDIUM
Published July 2, 2026
CISO Take

OpenClaw's Slack and Zalo webhook channels kept honoring the old webhook secret for a window after an operator called secrets.reload to rotate it, because the running channel handler wasn't actually restarted. There's no CVSS score, no EPSS data, no CISA KEV listing, and no public exploit or Nuclei template for this one — it's a medium-severity, narrow-scope flaw that only bites operators who have those specific webhook channels enabled and reachable, and it requires the attacker to already possess a previously valid secret. The real exposure is trust boundary drift in shared-Gateway deployments: a partner, contractor, or compromised third party who should have lost access can keep injecting webhook events into the agent pipeline until the runtime is restarted. With only 4 known downstream dependents the blast radius is small today, but openclaw already carries 425 other CVEs in its history, so treat this as one more signal that its security posture needs active management rather than a one-off. Patch to 2026.4.22, and until then restart the affected channel runtime — not just secrets.reload — every time you rotate a webhook secret.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium severity, CWE-613 (Insufficient Session Expiration). No CVSS vector or EPSS score has been published, there is no evidence of active exploitation (not in CISA KEV), no public PoC, and no Nuclei scanning template exists — exploitability signals are all low. However, the vulnerability class (a revoked credential that keeps working) is inherently easy to exploit once the precondition is met: the attacker only needs to have held a previously valid Slack/Zalo webhook secret and to act within the stale-secret window before the operator restarts the channel runtime. Risk is bounded by scope — it only applies when the specific webhook feature is enabled and network-reachable, and the vendor is explicit that OpenClaw's broader trusted-operator model (authenticated Gateway operators, installed plugins) is unaffected.

How does the attack unfold?

Retain stale credential
An external caller retains a Slack/Zalo webhook secret that the operator later rotates, believing prior access is revoked.
AML.T0012
Exploit reload gap
The operator rotates the secret via secrets.reload without restarting the channel runtime, leaving the old secret accepted during the stale window.
AML.T0091
Deliver unauthorized events
The caller sends signed webhook requests using the old secret, which the Gateway still accepts and routes into the agent's event pipeline.
AML.T0096
Downstream agent impact
Unauthorized webhook events reach the OpenClaw agent, potentially influencing its context or triggering tool invocations before the runtime is restarted and access is fully cut off.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.21 2026.4.22
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

1 step
  1. Upgrade OpenClaw to 2026.4.22 or later, where secrets.reload correctly invalidates the prior secret. Until patched, fully restart the affected channel runtime after every webhook secret rotation — calling secrets.reload alone is not sufficient. As general hardening: keep channel and tool allowlists narrow, avoid sharing a single Gateway between mutually untrusted users or tenants, and disable the Slack/Zalo webhook feature entirely if it isn't in active use. For detection, audit webhook auth logs for requests signed with a secret value that was supposed to have been rotated, and flag any webhook traffic that continues after a scheduled rotation event.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system operation and security controls
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-275c-xpvc-jgfw?

OpenClaw's Slack and Zalo webhook channels kept honoring the old webhook secret for a window after an operator called secrets.reload to rotate it, because the running channel handler wasn't actually restarted. There's no CVSS score, no EPSS data, no CISA KEV listing, and no public exploit or Nuclei template for this one — it's a medium-severity, narrow-scope flaw that only bites operators who have those specific webhook channels enabled and reachable, and it requires the attacker to already possess a previously valid secret. The real exposure is trust boundary drift in shared-Gateway deployments: a partner, contractor, or compromised third party who should have lost access can keep injecting webhook events into the agent pipeline until the runtime is restarted. With only 4 known downstream dependents the blast radius is small today, but openclaw already carries 425 other CVEs in its history, so treat this as one more signal that its security posture needs active management rather than a one-off. Patch to 2026.4.22, and until then restart the affected channel runtime — not just secrets.reload — every time you rotate a webhook secret.

Is GHSA-275c-xpvc-jgfw actively exploited?

No confirmed active exploitation of GHSA-275c-xpvc-jgfw has been reported, but organizations should still patch proactively.

How to fix GHSA-275c-xpvc-jgfw?

Upgrade OpenClaw to 2026.4.22 or later, where secrets.reload correctly invalidates the prior secret. Until patched, fully restart the affected channel runtime after every webhook secret rotation — calling secrets.reload alone is not sufficient. As general hardening: keep channel and tool allowlists narrow, avoid sharing a single Gateway between mutually untrusted users or tenants, and disable the Slack/Zalo webhook feature entirely if it isn't in active use. For detection, audit webhook auth logs for requests signed with a secret value that was supposed to have been rotated, and flag any webhook traffic that continues after a scheduled rotation event.

What systems are affected by GHSA-275c-xpvc-jgfw?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations.

What is the CVSS score for GHSA-275c-xpvc-jgfw?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook integrations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0091 Use Alternate Authentication Material
AML.T0096 AI Service API

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

### Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after `secrets.reload`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could deliver webhook events briefly after the operator expected revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.4.22`. ### Mitigations restart the affected channel runtime after rotating webhook secrets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

An external party (a former integration partner, a departed contractor, or an attacker who obtained a leaked Slack/Zalo webhook secret) retains a webhook secret that the OpenClaw operator later rotates via secrets.reload, believing access is revoked. Because the channel runtime keeps running with the old secret cached until restarted, the party continues sending correctly-signed webhook requests during the stale window. Those requests are accepted and delivered as legitimate channel events into the OpenClaw agent Gateway, letting the unauthorized caller inject input into the agent's event stream or trigger downstream tool invocations — particularly damaging in Gateway deployments shared across multiple untrusted users where this is the only boundary preventing cross-tenant interference.

Weaknesses (CWE)

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

  • [Implementation] Set sessions/credentials expiration date.

Source: MITRE CWE corpus.

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities