Description
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Unauthorized Access via Session Persistence
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions before 2026.4.8 suffer from a session‑management flaw where WebSocket connections that use a shared gateway token continue to remain active after the token is rotated, allowing an attacker who already holds a session to retain unauthorized access. This persistence of authenticated sessions is a weakness classified as CWE‑613. The consequence is that the attacker can keep an existing connection alive and potentially exercise privileged operations during the period after token rotation, though no new credentials are required.

Affected Systems

The vulnerable product is OpenClaw, a Node.js‑based web application framework. Any installation using a release prior to 2026.4.8 is affected; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and EPSS is not available, with the vulnerability not listed in the CISA KEV catalog. The likely attack vector involves an attacker who already possesses an active WebSocket session before the shared gateway token is rotated; no new authentication is required to maintain the session. Accordingly, the risk is limited to the persistence of an existing session rather than elevation of privileges or system compromise.

Generated by OpenCVE AI on April 28, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.8 or later.
  • If an immediate upgrade is not feasible, enforce disconnection of all WebSocket sessions during shared gateway token rotation to prevent session persistence.
  • Continuously monitor WebSocket connections after token rotation for unexpected persistence, indicating potential abuse.

Generated by OpenCVE AI on April 28, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.
Title OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-613
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:15:24.542Z

Reserved: 2026-04-27T11:38:59.195Z

Link: CVE-2026-42421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:45.820

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-42421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses