Main Vulnerability Database Vulnerabilities #VU132774

Improper access control in OpenClaw - #VU132774

Published: May 29, 2026

Vulnerability identifier: #VU132774

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to continue delivering webhook events after secret rotation.

The vulnerability exists due to improper access control in Slack and Zalo webhook secret validation when processing webhook requests after secrets.reload. A remote user can send requests using a previously valid webhook secret to continue delivering webhook events after secret rotation.

Only configurations with the affected feature enabled and reachable are vulnerable, and exploitation is limited to the stale-secret window after secret reload.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw

Improper access control in OpenClaw - #VU132774

Detailed vulnerability description

Remediation

Sources

Please verify you're human