← back
CVE-2026-41356

OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

CVSS 2.3 LOWEPSS 0.2%CWE-613
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
23 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333dhttps://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9xhttps://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate