OpenClaw Bearer Token Validation Bypass Vulnerability

A vulnerability in OpenClaw versions prior to 2026.4.15 allows revoked bearer tokens to remain valid after SecretRef rotation. This issue arises because the application captures the resolved bearer-auth configuration at startup and does not re-resolve authentication for each request. As a result, tokens that should have been invalidated can still be used for unauthorized access through gateway HTTP and WebSocket handlers.

Impact

Exploitation of this vulnerability could lead to unauthorized access via revoked bearer tokens, allowing attackers to bypass authentication checks on gateway HTTP and WebSocket upgrade paths.

Reproduction

The vulnerability can be reproduced by starting an OpenClaw gateway server with a bearer token. After rotating the SecretRef, the old token can still be used for authentication on HTTP requests and WebSocket upgrades, until the server is restarted.

Remediation

Users can upgrade to OpenClaw version 2026.4.15 or later, which addresses this vulnerability by re-resolving authentication per request and per WebSocket upgrade, ensuring that rotated tokens are no longer accepted.