← back
CVE-2026-41356

OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

CVSS 2.3 LOWEPSS 0.2%CWE-613
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333dhttps://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9xhttps://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate