OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
Exploitability
AV:NAC:LAT:PPR:LUI:NVulnerable System
VC:LVI:LVA:NSubsequent System
SC:NSI:NSA:N2.3/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NOther