← volver
CVE-2026-41356

OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

CVSS 2.3 LOWEPSS 0.2%CWE-613
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333dhttps://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9xhttps://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate