CVE-2026-42421

MEDIUM

OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation

Title source: cna

Description

OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w

[Patch] https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (2)

OpenClaw/OpenClaw < 2026.4.8

OpenClaw/OpenClaw 2026.4.8

Published Apr 28, 2026

Tracked Since Apr 29, 2026