OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

不充分的会话过期机制

OpenClaw 代码问题漏洞

OpenClaw是OpenClaw开源的一个智能人工助理。 OpenClaw 2026.3.31之前版本存在代码问题漏洞，该漏洞源于在轮换设备令牌时未能终止活动的WebSocket会话，具有先前泄露凭据的攻击者可在令牌轮换后通过现有WebSocket连接维持未授权访问。

N/A

N/A