CVE-2026-53830
Analyzed Analyzed - Analysis Complete

OpenClaw Webhook Secret Revocation Bypass Vulnerability

Vulnerability report for CVE-2026-53830, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: VulnCheck

Description

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.4.22 and involves a webhook secret revocation bypass. Specifically, callers using old Slack and Zalo webhook secrets can remain active even after the secrets have been reloaded and expected to be revoked. Attackers can exploit this window where stale secrets are still accepted to deliver webhook events, effectively allowing the use of previous credentials that should have been invalidated.

Impact Analysis

The impact of this vulnerability is that an attacker can continue to send webhook events using revoked or old secrets, potentially bypassing security controls that rely on secret revocation. This could lead to unauthorized actions or data being accepted by the system, as the system mistakenly accepts stale credentials. The CVSS scores indicate a moderate severity with a base score of 6.0 (v4.0) and 6.5 (v3.1), highlighting the potential for integrity impact without direct confidentiality or availability loss.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart