Description
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
Published: 2026-03-31
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Session Persistence
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions before 2026.3.28 do not properly close active WebSocket sessions when a device is removed or an authentication token is revoked. As a result, an attacker who has had credentials revoked can still maintain a live session until the client side is forced to reconnect. This allows the attacker ongoing unauthorized access, undermining the intended revocation and potentially exposing data or enabling further malicious activity. The weakness corresponds to insufficient session termination, classified as CWE-613.

Affected Systems

This flaw affects the OpenClaw platform distributed under the OpenClaw brand, built on Node.js. All releases prior to 2026.3.28 are vulnerable. The issue is present in the core server component that handles WebSocket connections and token validation. Administrators of deployments using any of these affected releases should verify the software version and update accordingly.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, and the absence of an EPSS score leaves the global exploitation probability unknown, but the vulnerability permits continued unauthorized access even after revocation, which is dangerous. The lack of listing in the CISA KEV catalog suggests no known public exploitation yet, yet the attack vector is likely remote via the WebSocket channel. Administrators should treat this as a critical issue and apply the upgrade immediately, as it avoids prolonged privilege persistence.

Generated by OpenCVE AI on March 31, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.3.28 or later to ensure WebSocket sessions are terminated on device removal or token revocation.

Generated by OpenCVE AI on March 31, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pr2-hcv6-7gwv OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
Title OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-613
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T15:12:38.442Z

Reserved: 2026-03-30T13:51:47.548Z

Link: CVE-2026-34503

cve-icon Vulnrichment

Updated: 2026-04-02T15:12:33.715Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:19.470

Modified: 2026-04-02T12:21:24.243

Link: CVE-2026-34503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:23Z

Weaknesses