CVE-2026-43585
Bearer Token Validation Bypass in OpenClaw
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-672 | The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.4.15. It occurs because the system captures the resolved bearer-auth configuration only at startup, which means that revoked tokens remain valid even after the SecretRef (the secret reference used for authentication) is rotated. Additionally, the gateway's HTTP and WebSocket handlers do not re-resolve authentication on a per-request basis, allowing attackers to use bearer tokens that should have been invalidated to gain unauthorized access to the gateway.
How can this vulnerability impact me? :
This vulnerability can allow attackers to use revoked bearer tokens to gain unauthorized access to the gateway. Since the system does not properly invalidate tokens after secret rotation, attackers can bypass authentication controls, potentially leading to unauthorized access to sensitive systems or data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows revoked bearer tokens to remain valid after secret rotation, enabling unauthorized access to gateway HTTP and WebSocket handlers. Such unauthorized access can lead to potential exposure or misuse of sensitive data.
Because the vulnerability permits continued use of revoked tokens without immediate invalidation, it undermines proper access control and session management practices required by common standards and regulations such as GDPR and HIPAA.
Failure to promptly invalidate revoked credentials could result in non-compliance with these regulations, which mandate strict controls on authentication, authorization, and protection of sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs because OpenClaw versions before 2026.4.15 do not re-resolve bearer-auth credentials per request, allowing revoked tokens to remain valid until the gateway restarts.
To detect this vulnerability on your system, you can check the OpenClaw version running on your gateway. If it is earlier than 2026.4.15, your system is vulnerable.
Additionally, monitoring network traffic for repeated use of bearer tokens that should have been revoked can help identify exploitation attempts.
- Run a command to check the OpenClaw version, for example: `openclaw --version` or check the package.json or installed npm package version.
- Inspect gateway logs for authentication attempts using old bearer tokens after a SecretRef rotation.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP/WebSocket traffic and analyze bearer tokens for reuse after secret rotations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.15 or later, which includes a fix that re-resolves bearer authentication per request, preventing revoked tokens from remaining valid.
Until you can upgrade, you should restart the OpenClaw gateway service after any SecretRef rotation to invalidate old bearer tokens.
- Apply the official patch or upgrade OpenClaw to version 2026.4.15 or newer.
- Restart the gateway service immediately after rotating bearer tokens or secrets.
- Monitor authentication logs for suspicious use of old tokens.