CVE-2026-53830
Description
OpenClaw before 2026.4.22 fails to properly revoke Slack and Zalo webhook secrets after secrets.reload, allowing attackers with old secrets to continue sending events.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.4.22 fails to properly revoke Slack and Zalo webhook secrets after secrets.reload, allowing attackers with old secrets to continue sending events.
Vulnerability
OpenClaw before version 2026.4.22 contains a webhook secret revocation bypass vulnerability (CWE-613 Insufficient Session Expiration [2]) affecting Slack and Zalo webhook integrations. When an operator performs a secrets.reload operation, old webhook secrets remain active during a stale-secret window, allowing callers with previous credentials to continue delivering webhook events. The affected feature must be enabled and reachable for the vulnerability to be exploitable [1].
Exploitation
An attacker with network access to the webhook endpoint and possession of an old webhook secret (valid before secrets.reload) can exploit the stale-secret window. After the operator rotates secrets via secrets.reload, the attacker continues to send webhook events using the old secret before the system fully invalidates it. No additional authentication or user interaction is required beyond the secret itself [1][2].
Impact
Successful exploitation allows the attacker to deliver webhook events after the operator expected secret revocation, potentially accepting previous credentials. The practical impact depends on the operator's configuration and whether lower-trust input can reach the webhook handler. The CVSS v4 vector indicates high integrity impact (VI:H) [2], as the attacker can inject unauthorized events, though no direct data disclosure or remote code execution is described [1].
Mitigation
The first stable patched version is 2026.4.22 [1]. As a workaround until patched, restart the affected channel runtime after rotating webhook secrets. General hardening recommendations include keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when not needed [1]. No KEV listing is currently associated with this CVE.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
100bd2cf7a376fix: allow installed plugins through allowlist
4 files changed · +87 −1
CHANGELOG.md+1 −0 modified@@ -44,6 +44,7 @@ Docs: https://docs.openclaw.ai - Thinking defaults/status: raise the implicit default thinking level for reasoning-capable models from legacy `off`/`low` fallback behavior to a safe provider-supported `medium` equivalent when no explicit config default is set, preserve configured-model reasoning metadata when runtime catalog loading is empty, and make `/status` report the same resolved default as runtime. - Gateway/model pricing: fetch OpenRouter and LiteLLM pricing asynchronously at startup and extend catalog fetch timeouts to 30 seconds, reducing noisy timeout warnings during slow upstream responses. - Agents/sessions: keep daily reset and idle-maintenance bookkeeping from bumping session activity or pruning freshly active routes, so active conversations no longer look newer or disappear for maintenance-only updates. +- Plugins/install: add newly installed plugin ids to an existing `plugins.allow` list before enabling them, so allowlisted configs load installed plugins after restart. - Status: show `Fast` in `/status` when fast mode is enabled, including config/default-derived fast mode, and omit it when disabled. - OpenAI/image generation: detect Azure OpenAI-style image endpoints, use Azure `api-key` auth plus deployment-scoped image URLs, honor `AZURE_OPENAI_API_VERSION`, and document the Azure setup path so image generation and edits work against Azure-hosted OpenAI resources. (#70570) Thanks @zhanggpcsu. - Telegram/forum topics: cache recovered forum metadata with bounded expiry so supergroup updates no longer need repeated `getChat` lookups before topic routing.
docs/tools/plugin.md+4 −0 modified@@ -255,6 +255,10 @@ plugin). Other bundled plugins still need `openclaw plugins enable <id>`. plugins. It is not supported with `--link`, which reuses the source path instead of copying over a managed install target. +When `plugins.allow` is already set, `openclaw plugins install` adds the +installed plugin id to that allowlist before enabling it, so installs are +immediately loadable after restart. + `openclaw plugins update <id-or-npm-spec>` applies to tracked installs. Passing an npm package spec with a dist-tag or exact version resolves the package name back to the tracked plugin record and records the new spec for future updates.
src/cli/plugins-install-persist.test.ts+64 −0 added@@ -0,0 +1,64 @@ +import { beforeEach, describe, expect, it } from "vitest"; +import type { OpenClawConfig } from "../config/config.js"; +import { + enablePluginInConfig, + recordPluginInstall, + resetPluginsCliTestState, + writeConfigFile, +} from "./plugins-cli-test-helpers.js"; + +describe("persistPluginInstall", () => { + beforeEach(() => { + resetPluginsCliTestState(); + }); + + it("adds installed plugins to restrictive allowlists before enabling", async () => { + const { persistPluginInstall } = await import("./plugins-install-persist.js"); + const baseConfig = { + plugins: { + allow: ["memory-core"], + }, + } as OpenClawConfig; + const enabledConfig = { + plugins: { + allow: ["alpha", "memory-core"], + entries: { + alpha: { enabled: true }, + }, + }, + } as OpenClawConfig; + const persistedConfig = { + plugins: { + ...enabledConfig.plugins, + installs: { + alpha: { + source: "npm", + spec: "alpha@1.0.0", + installPath: "/tmp/alpha", + }, + }, + }, + } as OpenClawConfig; + + enablePluginInConfig.mockImplementation((...args: unknown[]) => { + const [cfg, pluginId] = args as [OpenClawConfig, string]; + expect(pluginId).toBe("alpha"); + expect(cfg.plugins?.allow).toEqual(["alpha", "memory-core"]); + return { config: enabledConfig }; + }); + recordPluginInstall.mockReturnValue(persistedConfig); + + const next = await persistPluginInstall({ + config: baseConfig, + pluginId: "alpha", + install: { + source: "npm", + spec: "alpha@1.0.0", + installPath: "/tmp/alpha", + }, + }); + + expect(next).toBe(persistedConfig); + expect(writeConfigFile).toHaveBeenCalledWith(persistedConfig); + }); +});
src/cli/plugins-install-persist.ts+18 −1 modified@@ -12,6 +12,20 @@ import { logSlotWarnings, } from "./plugins-command-helpers.js"; +function addInstalledPluginToAllowlist(cfg: OpenClawConfig, pluginId: string): OpenClawConfig { + const allow = cfg.plugins?.allow; + if (!Array.isArray(allow) || allow.length === 0 || allow.includes(pluginId)) { + return cfg; + } + return { + ...cfg, + plugins: { + ...cfg.plugins, + allow: [...allow, pluginId].toSorted(), + }, + }; +} + export async function persistPluginInstall(params: { config: OpenClawConfig; baseHash?: string; @@ -20,7 +34,10 @@ export async function persistPluginInstall(params: { successMessage?: string; warningMessage?: string; }): Promise<OpenClawConfig> { - let next = enablePluginInConfig(params.config, params.pluginId).config; + let next = enablePluginInConfig( + addInstalledPluginToAllowlist(params.config, params.pluginId), + params.pluginId, + ).config; next = recordPluginInstall(next, { pluginId: params.pluginId, ...params.install,
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
2News mentions
0No linked articles in our index yet.