High severity8.1NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026
CVE-2026-34503
CVE-2026-34503
Description
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863nvdPatchWEB
- github.com/advisories/GHSA-2pr2-hcv6-7gwvghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwvnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34503ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocationnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.