CVE-2026-41356

MEDIUM

OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

Title source: cna

Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x

[Patch] https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 7.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-613

Status published

Products (2)

OpenClaw/OpenClaw < 2026.3.31

OpenClaw/OpenClaw 2026.3.31

Published Apr 23, 2026

Tracked Since Apr 24, 2026