CVE-2026-34503HIGH 8.1EPSS p24.8%

CVE-2026-34503CVE-2026-34503

Description

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.33% probability of exploitation · percentile 24.8% · 2026-06-19T12:03:05Z
Published2026-03-31
Last modified2026-04-02

Underlying weaknesses· 1

CWE-613

References

  1. https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
  3. https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28472
CVE
CVE-2026-43585
CVE
CVE-2026-22172
CVE
CVE-2026-34512
CVE
CVE-2026-35660
CVE
CVE-2026-32905
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.