CVE-2026-53830
Received Received - Intake
OpenClaw Webhook Secret Revocation Bypass Vulnerability

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulnCheck

Description
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53830
EUVD
EUVD-2026-36618
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openclaw openclaw to 2026.4.22 (exc)
slack slack *
zalo zalo *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.4.22 and involves a webhook secret revocation bypass. Specifically, callers using old Slack and Zalo webhook secrets can remain active even after the secrets have been reloaded and expected to be revoked. Attackers can exploit this window where stale secrets are still accepted to deliver webhook events, effectively allowing the use of previous credentials that should have been invalidated.

Impact Analysis

The impact of this vulnerability is that an attacker can continue to send webhook events using revoked or old secrets, potentially bypassing security controls that rely on secret revocation. This could lead to unauthorized actions or data being accepted by the system, as the system mistakenly accepts stale credentials. The CVSS scores indicate a moderate severity with a base score of 6.0 (v4.0) and 6.5 (v3.1), highlighting the potential for integrity impact without direct confidentiality or availability loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart