GHSA-q8ff-7ffm-m3r9: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

May 5, 2026

OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.

References

github.com/advisories/GHSA-q8ff-7ffm-m3r9
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9

Code Behaviors & Features

Detect and mitigate GHSA-q8ff-7ffm-m3r9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →