GHSA-275c-xpvc-jgfw: OpenClaw: Slack/Zalo webhook secrets outlive rotation
GHSA-275c-xpvc-jgfw MEDIUMOpenClaw's Slack and Zalo webhook channels kept honoring the old webhook secret for a window after an operator called secrets.reload to rotate it, because the running channel handler wasn't actually restarted. There's no CVSS score, no EPSS data, no CISA KEV listing, and no public exploit or Nuclei template for this one — it's a medium-severity, narrow-scope flaw that only bites operators who have those specific webhook channels enabled and reachable, and it requires the attacker to already possess a previously valid secret. The real exposure is trust boundary drift in shared-Gateway deployments: a partner, contractor, or compromised third party who should have lost access can keep injecting webhook events into the agent pipeline until the runtime is restarted. With only 4 known downstream dependents the blast radius is small today, but openclaw already carries 425 other CVEs in its history, so treat this as one more signal that its security posture needs active management rather than a one-off. Patch to 2026.4.22, and until then restart the affected channel runtime — not just secrets.reload — every time you rotate a webhook secret.
What is the risk?
Medium severity, CWE-613 (Insufficient Session Expiration). No CVSS vector or EPSS score has been published, there is no evidence of active exploitation (not in CISA KEV), no public PoC, and no Nuclei scanning template exists — exploitability signals are all low. However, the vulnerability class (a revoked credential that keeps working) is inherently easy to exploit once the precondition is met: the attacker only needs to have held a previously valid Slack/Zalo webhook secret and to act within the stale-secret window before the operator restarts the channel runtime. Risk is bounded by scope — it only applies when the specific webhook feature is enabled and network-reachable, and the vendor is explicit that OpenClaw's broader trusted-operator model (authenticated Gateway operators, installed plugins) is unaffected.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.21 | 2026.4.22 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
Upgrade OpenClaw to 2026.4.22 or later, where secrets.reload correctly invalidates the prior secret. Until patched, fully restart the affected channel runtime after every webhook secret rotation — calling secrets.reload alone is not sufficient. As general hardening: keep channel and tool allowlists narrow, avoid sharing a single Gateway between mutually untrusted users or tenants, and disable the Slack/Zalo webhook feature entirely if it isn't in active use. For detection, audit webhook auth logs for requests signed with a secret value that was supposed to have been rotated, and flag any webhook traffic that continues after a scheduled rotation event.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-275c-xpvc-jgfw?
OpenClaw's Slack and Zalo webhook channels kept honoring the old webhook secret for a window after an operator called secrets.reload to rotate it, because the running channel handler wasn't actually restarted. There's no CVSS score, no EPSS data, no CISA KEV listing, and no public exploit or Nuclei template for this one — it's a medium-severity, narrow-scope flaw that only bites operators who have those specific webhook channels enabled and reachable, and it requires the attacker to already possess a previously valid secret. The real exposure is trust boundary drift in shared-Gateway deployments: a partner, contractor, or compromised third party who should have lost access can keep injecting webhook events into the agent pipeline until the runtime is restarted. With only 4 known downstream dependents the blast radius is small today, but openclaw already carries 425 other CVEs in its history, so treat this as one more signal that its security posture needs active management rather than a one-off. Patch to 2026.4.22, and until then restart the affected channel runtime — not just secrets.reload — every time you rotate a webhook secret.
Is GHSA-275c-xpvc-jgfw actively exploited?
No confirmed active exploitation of GHSA-275c-xpvc-jgfw has been reported, but organizations should still patch proactively.
How to fix GHSA-275c-xpvc-jgfw?
Upgrade OpenClaw to 2026.4.22 or later, where secrets.reload correctly invalidates the prior secret. Until patched, fully restart the affected channel runtime after every webhook secret rotation — calling secrets.reload alone is not sufficient. As general hardening: keep channel and tool allowlists narrow, avoid sharing a single Gateway between mutually untrusted users or tenants, and disable the Slack/Zalo webhook feature entirely if it isn't in active use. For detection, audit webhook auth logs for requests signed with a secret value that was supposed to have been rotated, and flag any webhook traffic that continues after a scheduled rotation event.
What systems are affected by GHSA-275c-xpvc-jgfw?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations.
What is the CVSS score for GHSA-275c-xpvc-jgfw?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0091 Use Alternate Authentication Material AML.T0096 AI Service API Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after `secrets.reload`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could deliver webhook events briefly after the operator expected revocation. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.4.22`. ### Mitigations restart the affected channel runtime after rotating webhook secrets until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
An external party (a former integration partner, a departed contractor, or an attacker who obtained a leaked Slack/Zalo webhook secret) retains a webhook secret that the OpenClaw operator later rotates via secrets.reload, believing access is revoked. Because the channel runtime keeps running with the old secret cached until restarted, the party continues sending correctly-signed webhook requests during the stale window. Those requests are accepted and delivered as legitimate channel events into the OpenClaw agent Gateway, letting the unauthorized caller inject input into the agent's event stream or trigger downstream tool invocations — particularly damaging in Gateway deployments shared across multiple untrusted users where this is the only boundary preventing cross-tenant interference.
Weaknesses (CWE)
CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
- [Implementation] Set sessions/credentials expiration date.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw