CVE-2026-43585: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
(updated )
Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.
References
- github.com/advisories/GHSA-xmxx-7p24-h892
- github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094
- github.com/openclaw/openclaw/pull/66651
- github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892
- nvd.nist.gov/vuln/detail/CVE-2026-43585
- www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution
Code Behaviors & Features
Detect and mitigate CVE-2026-43585 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →