{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/secret-rotation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["openclaw","authentication-bypass","secret-rotation"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions before \u003ccode\u003e2026.4.15\u003c/code\u003e are vulnerable to a bearer authentication bypass. The gateway HTTP and WebSocket handlers incorrectly capture the resolved bearer-auth configuration only once, during server startup. Consequently, if a SecretRef rotation occurs, the running gateway continues to accept the old, now-revoked, bearer token. This vulnerability persists until the OpenClaw server is restarted, effectively negating the intended token revocation. This issue poses a significant risk, as it allows potentially unauthorized access even after administrators have taken steps to rotate and invalidate the token. The vulnerability was reported by @zsxsoft, Keen Security Lab, and @qclawer and patched in version \u003ccode\u003e2026.4.15\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid bearer token for OpenClaw gateway access.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw gateway server starts and caches the resolved bearer-auth configuration.\u003c/li\u003e\n\u003cli\u003eThe administrator initiates a SecretRef rotation, intending to revoke the existing bearer token.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the already-running OpenClaw gateway does not re-resolve the bearer-auth configuration against the new secret.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the old, now-revoked, bearer token in subsequent HTTP or WebSocket requests.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw gateway incorrectly validates the request using the cached, outdated authentication configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the gateway resources.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains unauthorized access until the OpenClaw gateway server is restarted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended security controls. Specifically, an attacker with a revoked bearer token can maintain access to OpenClaw gateway resources, even after a SecretRef rotation. The vulnerability affects all OpenClaw deployments running versions prior to \u003ccode\u003e2026.4.15\u003c/code\u003e. The impact is significant, as it undermines the security posture of OpenClaw deployments and could lead to data breaches, service disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version \u003ccode\u003e2026.4.15\u003c/code\u003e or later to patch the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-xmxx-7p24-h892\"\u003ehttps://github.com/advisories/GHSA-xmxx-7p24-h892\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eRestart OpenClaw gateway servers immediately after a SecretRef rotation to ensure that the new authentication configuration is loaded, mitigating the risk if an immediate upgrade is not feasible.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw gateway logs for unauthorized access attempts, although this might be difficult to distinguish from legitimate requests using the outdated token.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-18T12:00:00Z","date_published":"2024-01-18T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-bearer-auth-bypass/","summary":"OpenClaw versions prior to 2026.4.15 have a vulnerability where gateway HTTP and WebSocket handlers cache bearer-auth configuration at server startup, allowing a revoked token to remain valid after SecretRef rotation until restart, potentially granting unauthorized access.","title":"OpenClaw Gateway Bearer Auth Bypass After Secret Rotation","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-bearer-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Secret-Rotation","version":"https://jsonfeed.org/version/1.1"}