CWE-324
AllowedUse of a Key Past its Expiration Date
Abstraction: Base · Status: Draft
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
41 vulnerabilities reference this CWE, most recent first.
GHSA-XMXX-7P24-H892
Vulnerability from github – Published: 2026-04-17 22:32 – Updated: 2026-05-12 13:35Summary
Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.
Impact
A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.
Affected versions
- Affected:
< 2026.4.15 - Patched:
2026.4.15
Fix
OpenClaw 2026.4.15 resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.
Verified in v2026.4.15:
src/gateway/server.impl.tsexposesgetResolvedAuth()backed by the current runtime secret snapshot.src/gateway/server-http.tscallsgetResolvedAuth()for each HTTP request and WebSocket upgrade before running auth checks.src/gateway/server-http.probe.test.tsverifies/readyre-resolves bearer auth after rotation and rejects the old token.
Fix commit included in v2026.4.15 and absent from v2026.4.14:
acd4e0a32f12e1ad85f3130f63b42443ce90f094via PR #66651
Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43585"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T22:32:02Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nGateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.\n\n## Impact\n\nA bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.\n\n## Affected versions\n\n- Affected: `\u003c 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.\n\nVerified in `v2026.4.15`:\n\n- `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot.\n- `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks.\n- `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.",
"id": "GHSA-xmxx-7p24-h892",
"modified": "2026-05-12T13:35:23Z",
"published": "2026-04-17T22:32:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43585"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/66651"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation"
}
Mitigation
Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
No CAPEC attack patterns related to this CWE.