AI Threat Alert

GHSA-xmxx-7p24-h892: OpenClaw: stale bearer token survives SecretRef rotation

GHSA-xmxx-7p24-h892 HIGH
Published April 17, 2026
CISO Take

OpenClaw's gateway resolved bearer authentication once at process startup and cached it, meaning any token invalidated via SecretRef rotation remained fully valid until the service was restarted. During an active incident — the precise moment operators rotate credentials to cut off an attacker — this flaw creates a dangerous false sense of remediation while unauthorized access silently persists. With 135 prior CVEs in this package and a documented malicious skills ecosystem that has already been used for credential exfiltration (AIID #1368), any undetected access window in an OpenClaw deployment carries compounded operational risk. Upgrade to OpenClaw ≥ 2026.4.15 and immediately restart all gateway instances; audit access logs for token usage occurring after rotation events to determine whether the window was exploited.

Sources: GitHub Advisory ATLAS

What is the risk?

High operational risk despite no confirmed active exploitation. The vulnerability does not enable initial access independently — an adversary must already possess a bearer token — but it critically undermines credential rotation as an incident response control, converting a closed incident into an ongoing compromise. Organizations that performed SecretRef rotations without restarting the gateway are in an unresolved state. No EPSS data is available and the CVE is not in CISA KEV, limiting quantifiable exploitation probability. Blast radius is constrained to 4 downstream dependents, but any running OpenClaw gateway instance is fully affected regardless of version history.

How does the attack unfold?

Token Acquisition
Adversary obtains a valid OpenClaw gateway bearer token via credential phishing, log exposure, or exfiltration through a malicious skill.
AML.T0055
Rotation Event
Target operator performs SecretRef rotation expecting immediate revocation; gateway process is not restarted and continues serving the cached startup-time token.
Persistent Unauthorized Access
Adversary continues authenticating with the stale token against HTTP and WebSocket surfaces; gateway accepts requests indefinitely from its cached startup state.
AML.T0091.000
Agent Tool Abuse
With persistent gateway access, adversary invokes AI agent tools and LLM interfaces to exfiltrate data, gather context, or pivot within the target infrastructure.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.15 2026.4.15
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

1 step

  1. 1) Upgrade OpenClaw to ≥ 2026.4.15 — the fix resolves bearer auth from the live runtime secret snapshot on every HTTP request and WebSocket upgrade rather than at startup. 2) Restart all running gateway instances immediately after patching; the vulnerability exists in process memory and persists across in-place upgrades without restart. 3) If immediate patching is blocked, restrict gateway network access and treat any previously rotated token as potentially still active. 4) Audit gateway access logs for authentication events using tokens timestamped after their rotation date to identify exploitation windows. 5) For any identified exploitation window, escalate to incident response and assess what agent tools and LLM surfaces were invoked under the stale credential.

How is it classified?

Auth Bypass Agent API AML.T0012 AML.T0053 AML.T0091.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - Information security for AI systems
NIST AI RMF
MANAGE 2.4 - Mechanisms for managing AI risks are in place
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-xmxx-7p24-h892?

OpenClaw's gateway resolved bearer authentication once at process startup and cached it, meaning any token invalidated via SecretRef rotation remained fully valid until the service was restarted. During an active incident — the precise moment operators rotate credentials to cut off an attacker — this flaw creates a dangerous false sense of remediation while unauthorized access silently persists. With 135 prior CVEs in this package and a documented malicious skills ecosystem that has already been used for credential exfiltration (AIID #1368), any undetected access window in an OpenClaw deployment carries compounded operational risk. Upgrade to OpenClaw ≥ 2026.4.15 and immediately restart all gateway instances; audit access logs for token usage occurring after rotation events to determine whether the window was exploited.

Is GHSA-xmxx-7p24-h892 actively exploited?

No confirmed active exploitation of GHSA-xmxx-7p24-h892 has been reported, but organizations should still patch proactively.

How to fix GHSA-xmxx-7p24-h892?

1) Upgrade OpenClaw to ≥ 2026.4.15 — the fix resolves bearer auth from the live runtime secret snapshot on every HTTP request and WebSocket upgrade rather than at startup. 2) Restart all running gateway instances immediately after patching; the vulnerability exists in process memory and persists across in-place upgrades without restart. 3) If immediate patching is blocked, restrict gateway network access and treat any previously rotated token as potentially still active. 4) Audit gateway access logs for authentication events using tokens timestamped after their rotation date to identify exploitation windows. 5) For any identified exploitation window, escalate to incident response and assess what agent tools and LLM surfaces were invoked under the stale credential.

What systems are affected by GHSA-xmxx-7p24-h892?

This vulnerability affects the following AI/ML architecture patterns: AI agent gateways, LLM-connected services, agent frameworks, API gateways for AI.

What is the CVSS score for GHSA-xmxx-7p24-h892?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent gatewaysLLM-connected servicesagent frameworksAPI gateways for AI

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0053 AI Agent Tool Invocation
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. ## Impact A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value. Verified in `v2026.4.15`: - `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot. - `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks. - `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.

Exploitation Scenario

An adversary who obtained a bearer token via credential phishing, log exposure, or a prior breach of the OpenClaw skills ecosystem (per AIID #1368 patterns) waits after discovery. When the target organization performs a SecretRef rotation — believing they have contained the compromise — the attacker detects no disruption to their access. They continue submitting authenticated HTTP requests and WebSocket upgrades to the OpenClaw gateway, invoking AI agent tools and accessing LLM interfaces the operator believed were no longer reachable. Because the incident is considered closed post-rotation, the organization does not monitor for continued use of the old token, allowing the adversary to maintain persistent access to the AI agent infrastructure for the lifetime of the process.

Weaknesses (CWE)

CWE-324 Use of a Key Past its Expiration Date Primary

CWE-324 — Use of a Key Past its Expiration Date: The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

  • [Architecture and Design] Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
Back to Threat Feed