CVE-2026-41356

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

medium 5.4 CVSS 3.1

Published: Apr 23, 2026

Modified: Apr 24, 2026

Description

References

https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate

Version	3.1
Score	5.4 / 10
Severity	medium