CVE-2026-41356

· NIST NVD ↗

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

MEDIUM
CVSS severity
5.4
CVSS base score
2026-04-23
Published

CWE codes

CWE-613

Affected products

openclaw:openclaw

Sources