CVE-2026-34503
HIGHOpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
Title source: cnaDescription
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-2pr2-hcv6-7gwv)
https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation
Scores
CVSS v3
8.1
EPSS
0.0033
EPSS Percentile
24.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (4)
npm/openclaw
0 - 2026.3.28npm
OpenClaw/OpenClaw
< 2026.3.28
openclaw/openclaw
< 2026.3.28
OpenClaw/OpenClaw
2026.3.28
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026