<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Secret-Rotation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/secret-rotation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 18 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/secret-rotation/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Gateway Bearer Auth Bypass After Secret Rotation</title><link>https://feed.craftedsignal.io/briefs/2024-01-openclaw-bearer-auth-bypass/</link><pubDate>Thu, 18 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openclaw-bearer-auth-bypass/</guid><description>OpenClaw versions prior to 2026.4.15 have a vulnerability where gateway HTTP and WebSocket handlers cache bearer-auth configuration at server startup, allowing a revoked token to remain valid after SecretRef rotation until restart, potentially granting unauthorized access.</description><content:encoded><![CDATA[<p>OpenClaw versions before <code>2026.4.15</code> are vulnerable to a bearer authentication bypass. The gateway HTTP and WebSocket handlers incorrectly capture the resolved bearer-auth configuration only once, during server startup. Consequently, if a SecretRef rotation occurs, the running gateway continues to accept the old, now-revoked, bearer token. This vulnerability persists until the OpenClaw server is restarted, effectively negating the intended token revocation. This issue poses a significant risk, as it allows potentially unauthorized access even after administrators have taken steps to rotate and invalidate the token. The vulnerability was reported by @zsxsoft, Keen Security Lab, and @qclawer and patched in version <code>2026.4.15</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a valid bearer token for OpenClaw gateway access.</li>
<li>The OpenClaw gateway server starts and caches the resolved bearer-auth configuration.</li>
<li>The administrator initiates a SecretRef rotation, intending to revoke the existing bearer token.</li>
<li>Due to the vulnerability, the already-running OpenClaw gateway does not re-resolve the bearer-auth configuration against the new secret.</li>
<li>The attacker uses the old, now-revoked, bearer token in subsequent HTTP or WebSocket requests.</li>
<li>The OpenClaw gateway incorrectly validates the request using the cached, outdated authentication configuration.</li>
<li>The attacker gains unauthorized access to the gateway resources.</li>
<li>The attacker maintains unauthorized access until the OpenClaw gateway server is restarted.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to bypass intended security controls. Specifically, an attacker with a revoked bearer token can maintain access to OpenClaw gateway resources, even after a SecretRef rotation. The vulnerability affects all OpenClaw deployments running versions prior to <code>2026.4.15</code>. The impact is significant, as it undermines the security posture of OpenClaw deployments and could lead to data breaches, service disruption, or other malicious activities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenClaw to version <code>2026.4.15</code> or later to patch the vulnerability as described in the advisory (<a href="https://github.com/advisories/GHSA-xmxx-7p24-h892">https://github.com/advisories/GHSA-xmxx-7p24-h892</a>).</li>
<li>Restart OpenClaw gateway servers immediately after a SecretRef rotation to ensure that the new authentication configuration is loaded, mitigating the risk if an immediate upgrade is not feasible.</li>
<li>Monitor OpenClaw gateway logs for unauthorized access attempts, although this might be difficult to distinguish from legitimate requests using the outdated token.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openclaw</category><category>authentication-bypass</category><category>secret-rotation</category></item></channel></rss>