Ghostwire

CVE-2026-41356: OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with...

MEDIUM CVSS 5.4 2 PoC

Published: April 23, 2026 | Last Modified: April 23, 2026

Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
2 proof-of-concept exploits available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (2)

openclaw/openclaw
openclaw/openclaw

Security Coverage (1 articles)

References

github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-i