GHSA-q8ff-7ffm-m3r9: OpenClaw stale webhook secret

Q: Is GHSA-q8ff-7ffm-m3r9 actively exploited?

No confirmed active exploitation of GHSA-q8ff-7ffm-m3r9 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-q8ff-7ffm-m3r9?

1. Upgrade to openclaw@2026.4.23 immediately — this version resolves SecretRef-backed secrets on every request, making rotations effective after `openclaw secrets reload` without requiring a restart. 2. If immediate upgrade is not possible, add gateway and plugin restart to your credential rotation runbooks as a mandatory compensating control. 3. Audit all webhook routes to identify which are backed by SecretRef — those are exclusively affected. 4. Review webhook authentication logs for invocations occurring after recent rotation events to detect potential abuse of stale credentials. 5. Treat any current webhook secrets as potentially stale and rotate them after upgrading to ensure a clean state.

Q: What systems are affected by GHSA-q8ff-7ffm-m3r9?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations, event-driven AI pipelines, AI agent orchestration.

Q: What is the CVSS score for GHSA-q8ff-7ffm-m3r9?

GHSA-q8ff-7ffm-m3r9 has a CVSS v3.1 base score of 6.0 (MEDIUM).

CISO Take

OpenClaw cached SecretRef-backed webhook route secrets at resolve time, meaning a rotated secret remained valid until the gateway or plugin restarted — directly undermining credential rotation as a security control. For teams using OpenClaw to trigger AI agent workflows via webhooks, a revoked credential stays active indefinitely post-rotation, violating the assumed security invariant that secret rotation equals immediate revocation. With no public exploit, no KEV listing, and only 4 downstream dependents, the blast radius is narrow, but the control failure is real: any incident response playbook that relies on immediate secret revocation is broken for OpenClaw webhook routes until the gateway restarts. Upgrade to openclaw@2026.4.23 immediately; if the upgrade is delayed, restart the gateway and plugins after every secret rotation as a compensating control.

Sources: GitHub Advisory ATLAS CVSS

What is the risk?

Medium risk with notable operational security impact. The CVSS 6.0 score (AV:N/AC:L/PR:H) accurately reflects the pre-condition that an attacker must already possess a previously valid webhook secret, limiting opportunistic exploitation. However, the control failure is operationally serious: organizations that rotate secrets in response to an insider threat, credential compromise, or breach cannot rely on that rotation taking immediate effect. The window of exposure extends from the rotation event until the next gateway restart, which in production environments could span days or weeks. The 135 other CVEs in the same package ecosystem warrant broader scrutiny of openclaw deployments.

How does the attack unfold?

Credential Acquisition

Attacker obtains a valid OpenClaw webhook route secret through prior legitimate access, credential exfiltration from a compromised system, or via a malicious skill in the OpenClaw ecosystem.

AML.T0012

Rotation Evasion

Operator rotates the underlying SecretRef secret and runs `openclaw secrets reload` believing the old credential is invalidated, but the gateway's in-memory cache retains the previously resolved secret unchanged.

AML.T0091.000

Persistent Unauthorized Access

Attacker continues sending webhook requests authenticated with the stale secret, maintaining access across what the operator believed was a successful revocation event without any indication of failure.

AML.T0107

Unauthorized Agent Task Invocation

Attacker invokes configured webhook task flows to trigger AI agent actions — exfiltrating data, executing unauthorized operations, or consuming compute — while the operator believes the credential has been revoked.

AML.T0053

Credential Acquisition

Attacker obtains a valid OpenClaw webhook route secret through prior legitimate access, credential exfiltration from a compromised system, or via a malicious skill in the OpenClaw ecosystem.

AML.T0012

Rotation Evasion

Operator rotates the underlying SecretRef secret and runs `openclaw secrets reload` believing the old credential is invalidated, but the gateway's in-memory cache retains the previously resolved secret unchanged.

AML.T0091.000

Persistent Unauthorized Access

Attacker continues sending webhook requests authenticated with the stale secret, maintaining access across what the operator believed was a successful revocation event without any indication of failure.

AML.T0107

Unauthorized Agent Task Invocation

Attacker invokes configured webhook task flows to trigger AI agent actions — exfiltrating data, executing unauthorized operations, or consuming compute — while the operator believes the credential has been revoked.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.23	`2026.4.23`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR High

UI None

S Unchanged

C Low

I High

A Low

What should I do?

5 steps

Upgrade to openclaw@2026.4.23 immediately — this version resolves SecretRef-backed secrets on every request, making rotations effective after openclaw secrets reload without requiring a restart.
If immediate upgrade is not possible, add gateway and plugin restart to your credential rotation runbooks as a mandatory compensating control.
Audit all webhook routes to identify which are backed by SecretRef — those are exclusively affected.
Review webhook authentication logs for invocations occurring after recent rotation events to detect potential abuse of stale credentials.
Treat any current webhook secrets as potentially stale and rotate them after upgrading to ensure a clean state.

How is it classified?

Auth Bypass Agent Plugin AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms for tracking AI risks are in place

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-q8ff-7ffm-m3r9?

OpenClaw cached SecretRef-backed webhook route secrets at resolve time, meaning a rotated secret remained valid until the gateway or plugin restarted — directly undermining credential rotation as a security control. For teams using OpenClaw to trigger AI agent workflows via webhooks, a revoked credential stays active indefinitely post-rotation, violating the assumed security invariant that secret rotation equals immediate revocation. With no public exploit, no KEV listing, and only 4 downstream dependents, the blast radius is narrow, but the control failure is real: any incident response playbook that relies on immediate secret revocation is broken for OpenClaw webhook routes until the gateway restarts. Upgrade to openclaw@2026.4.23 immediately; if the upgrade is delayed, restart the gateway and plugins after every secret rotation as a compensating control.

Is GHSA-q8ff-7ffm-m3r9 actively exploited?

No confirmed active exploitation of GHSA-q8ff-7ffm-m3r9 has been reported, but organizations should still patch proactively.

How to fix GHSA-q8ff-7ffm-m3r9?

1. Upgrade to openclaw@2026.4.23 immediately — this version resolves SecretRef-backed secrets on every request, making rotations effective after `openclaw secrets reload` without requiring a restart. 2. If immediate upgrade is not possible, add gateway and plugin restart to your credential rotation runbooks as a mandatory compensating control. 3. Audit all webhook routes to identify which are backed by SecretRef — those are exclusively affected. 4. Review webhook authentication logs for invocations occurring after recent rotation events to detect potential abuse of stale credentials. 5. Treat any current webhook secrets as potentially stale and rotate them after upgrading to ensure a clean state.

What systems are affected by GHSA-q8ff-7ffm-m3r9?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations, event-driven AI pipelines, AI agent orchestration.

What is the CVSS score for GHSA-q8ff-7ffm-m3r9?

GHSA-q8ff-7ffm-m3r9 has a CVSS v3.1 base score of 6.0 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook integrationsevent-driven AI pipelinesAI agent orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted. ## Impact An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected. ## Fix Commit(s) - `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`) ## Severity Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation.

Exploitation Scenario

A threat actor — former employee, compromised third-party integrator, or internal adversary — who previously held a valid OpenClaw webhook route secret retains it after being offboarded or during an incident response scenario. The operator rotates the underlying secret in the secrets store and runs `openclaw secrets reload`, believing access has been fully revoked. Because OpenClaw cached the resolved secret at startup, the gateway continues accepting the old credential transparently. The attacker continues invoking webhook task flows — triggering AI agent actions, potentially exfiltrating data through agent tool invocations, or executing unauthorized operations — while the operator operates under the false assumption that the rotation successfully closed the gap. The attack requires no technical sophistication beyond possessing the original credential.

Weaknesses (CWE)

CWE-613 Insufficient Session Expiration Primary

CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."