CVE-2026-34503

HIGH 8.1

OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

8th

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

CWE	CWE-613
Vendor	openclaw
Product	openclaw
Published	Mar 31, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.3.28

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv github.com: https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation

Credits

🔍 AntAISecurityLab