AI Threat Alert
CVE-2026-34503
HIGHOpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | pip | — | No patch |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-34503?
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
Is CVE-2026-34503 actively exploited?
No confirmed active exploitation of CVE-2026-34503 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34503?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-34503?
CVE-2026-34503 has a CVSS v3.1 base score of 8.1 (HIGH).
What are the technical details?
Original Advisory
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
Weaknesses (CWE)
CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
- [Implementation] Set sessions/credentials expiration date.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N References
- github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863 patch
- github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv vendor-advisory
- vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation third-party-advisory
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 Analysis pending
Same package: openclaw CVE-2026-32922 9.9 Analysis pending
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw