CVE-2026-41356

low

Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

References

https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate

https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x

https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d

Details

Source: Mitre, NVD

Published: 2026-04-23

Updated: 2026-04-24

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 2.3

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Low

EPSS

EPSS: 0.00025

Detections

Analytics