CVE-2026-41356

MEDIUM NVD

CVSS Score 5.4

Severity MEDIUM

Published Apr 23, 2026

Vendor unknown

Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

References

https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate