CVE-2026-41356
MEDIUMOpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
Title source: cnaDescription
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-rfqg-qgf8-xr9x)
https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
8.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (4)
npm/openclaw
0 - 2026.3.31npm
OpenClaw/OpenClaw
< 2026.3.31
openclaw/openclaw
< 2026.3.31
OpenClaw/OpenClaw
2026.3.31
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026