External risk intelligence

OpenClaw allows attackers to access systems with revoked credentials.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-43585

OpenClaw gateways can be accessed by revoked credentials, allowing unauthorized users to bypass security controls and access your systems.

5Halo Surface Signal

Openclaw

before 2026.4.15

External exposure likelihood

Halo Surface Signal score for CVE-2026-43585

The vulnerability affects OpenClaw's HTTP and WebSocket gateway handlers. Gateways are designed to act as traffic entry points, typically residing at the network edge to mediate connectivity between external clients and internal resources. Given their role in managing incoming requests and authentication, these services are inherently public-facing and very likely to be reachable.

PCI scan relevance

PCI Relevance for CVE-2026-43585

Yes

CVE-2026-43585 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is relevant to PCI scans as it allows unauthorized gateway access through the use of rotated bearer tokens, which could be exploited by attackers.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue in OpenClaw allows revoked access tokens to remain valid after configuration changes, potentially granting unauthorized access to gateway services. Teams should pay attention because this could let attackers bypass authentication controls and access sensitive resources.

  • Unauthorized gateway access is possible.
  • Affected systems are likely internet-facing.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by using a previously valid bearer token that has since been revoked. This allows them to bypass authentication and gain unauthorized access to the OpenClaw gateway, impacting both HTTP and WebSocket connections. The vulnerability lies in how the gateway re-validates tokens only at startup, not on each request.

  • No authentication is needed.
  • Attacker needs a rotated-out token.
  • Vulnerable: gateway handlers.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows revoked bearer tokens to remain valid after secret rotation, granting unauthorized gateway access. Attackers are likely to target this because it enables them to bypass authentication and access sensitive resources without needing to exploit other vulnerabilities. The impact is significant due to the direct pathway to unauthorized data or system control.

  • Exploitable via network.
  • No exploit code publicly available.
  • Recent advisory published.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading OpenClaw to version 2026.4.15 or later to fix the bearer token validation vulnerability. If immediate patching is not feasible, implement strict network segmentation and enhanced monitoring for any unauthorized access attempts on your gateways.

  • Upgrade OpenClaw to 2026.4.15.
  • Monitor gateway logs for anomalous traffic.
  • Consider temporary service isolation.

Frequently asked questions

What is OpenClaw and what is it used for?

OpenClaw is a software component used for managing gateway services, handling both HTTP and WebSocket connections. It is designed to mediate connectivity between external clients and internal resources, acting as a traffic entry point.

What type of vulnerability does CVE-2026-43585 represent?

CVE-2026-43585 is a security vulnerability classified as CWE-672, which relates to the capture of resolved bearer-auth configurations at startup. This weakness allows revoked tokens to remain valid after configuration changes, leading to unauthorized access.

How can an attacker exploit this OpenClaw vulnerability?

An attacker can exploit this by using a bearer token that was previously valid but has since been revoked. The vulnerability is triggered because the gateway handlers fail to re-resolve authentication for each request, allowing these stale tokens to grant unauthorized access.

Who should be concerned about this CVE based on its exposure?

Organizations running OpenClaw should be concerned because this vulnerability affects gateway handlers, which are typically internet-facing. This means attackers could potentially reach these systems from the internet, making them a significant risk.

What is the first step to address this OpenClaw vulnerability?

The primary step is to upgrade OpenClaw to version 2026.4.15 or a later version. If an immediate upgrade is not possible, consider implementing network segmentation and closely monitoring gateway logs for any unusual activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified