CVE-2026-41356

MEDIUM CVSS 5.4 View on NVD ↗

Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate

Published: Apr 23, 2026 22:16 UTC Modified: Apr 24, 2026 14:40 UTC