Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
OpenClaw: Unsecured Web Sessions After Password Change
GHSA-rfqg-qgf8-xr9x
Summary
If you're using OpenClaw version 2026.3.28 or earlier, an attacker who already has access to your system could potentially stay connected even after you change your password. This is a relatively low-risk issue, but it's still something you should address. Update to version 2026.3.31 or later to fix this issue.
What to do
- Update openclaw to version 2026.3.31.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.28 | 2026.3.31 |
Original title
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Original description
## Summary
Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
## Current Maintainer Triage
- Normalized severity: low
- Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `91f7a6b0fd67b703897e6e307762d471ca09333d` — 2026-03-31T09:05:34+09:00
OpenClaw thanks @zsxsoft for reporting.
Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
## Current Maintainer Triage
- Normalized severity: low
- Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `91f7a6b0fd67b703897e6e307762d471ca09333d` — 2026-03-31T09:05:34+09:00
OpenClaw thanks @zsxsoft for reporting.
ghsa CVSS4.0
2.3
Vulnerability type
CWE-613
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026