OpenClaw versions before 2026.4.15 contain a critical authentication bypass vulnerability where bearer authentication tokens are cached at startup and not refreshed per-request. This allows revoked tokens to remain valid even after SecretRef rotation, enabling attackers to use expired bearer tokens for unauthorized access to gateway HTTP and WebSocket handlers. The vulnerability stems from the failure to re-resolve authentication configurations on each request, creating a significant security gap in token validation processes.