GHSA-xmxx-7p24-h892: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

April 17, 2026

Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.

References

github.com/advisories/GHSA-xmxx-7p24-h892
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094
github.com/openclaw/openclaw/pull/66651
github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892

Code Behaviors & Features

Detect and mitigate GHSA-xmxx-7p24-h892 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →