HIGHCVE-2026-34503Published 2026-03-31Modified 2026-04-02CNA VulnCheck

CVE-2026-34503: OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 2026.3.28
Affected Products: 1

Fix available

2026.3.28

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.3.28 (from 0)
Fixed in 2026.3.28

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-2pr2-hcv6-7gwv)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

Metrics

Fix available