CVE-2026-43585

HIGH

OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-43585. PoCs published by ByteWraith1.

AI-analyzed exploit summary The repository claims to provide a PoC for CVE-2026-43585 but lacks actual exploit code, instead redirecting users to an external link (tinyurl.com). The README contains vague technical details and emphasizes ethical warnings without demonstrating the vulnerability.

Description

OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.

Exploits (1)

nomisec SUSPICIOUS

by ByteWraith1 · poc

https://github.com/ByteWraith1/CVE-2026-43585

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2026-43585 but lacks actual exploit code, instead redirecting users to an external link (tinyurl.com). The README contains vague technical details and emphasizes ethical warnings without demonstrating the vulnerability.

Classification

Suspicious 90%

Attack Type

Auth Bypass

Complexity

Theoretical

Reliability

Theoretical

Target: OpenClaw (versions prior to 2026.4.15)

No auth needed

Prerequisites: Python 3.8+ · requests library · argparse library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 07, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

GitHub Security Advisory (GHSA-xmxx-7p24-h892)

https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892

Patch patch

Patch Commit

https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution

https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution

Scores

CVSS v3 8.1

EPSS 0.0054

EPSS Percentile 41.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-672

Status published

Products (4)

npm/openclaw 0 - 2026.4.15npm

OpenClaw/OpenClaw < 2026.4.15

openclaw/openclaw < 2026.4.15

OpenClaw/OpenClaw 2026.4.15

Published May 06, 2026

Tracked Since May 07, 2026