GHSA-5h3f-885m-v22w: openclaw: WS sessions persist after gateway token rotation
GHSA-5h3f-885m-v22w MEDIUMOpenClaw's shared gateway token rotation fails to terminate existing WebSocket sessions, meaning an attacker who has already obtained session access retains it indefinitely even after the victim executes what should be a standard incident response action. Local AI agents like OpenClaw routinely have access to filesystem, code execution tools, and stored credentials — so a persistent unauthorized session is a meaningful foothold, not a cosmetic flaw. Context compounds the concern: this package carries 60 prior CVEs and is associated with a documented malicious skills ecosystem (AIID #1368, Feb 2026) where ~17% of third-party skills were assessed as malicious — suggesting the attacker pathway to obtaining an initial session is already well-trodden. Upgrade to openclaw 2026.4.8 immediately and restart the service to force-terminate all existing WebSocket sessions post-upgrade.
What is the risk?
Medium severity in isolation, but elevated when considered against the deployment context of a local AI agent with broad system access. Token rotation is a core incident response control — its failure converts a recoverable credential compromise into a persistent access problem. No CVSS vector or EPSS data is available, no public exploit exists, and the local trust model limits blast radius. However, 60 prior CVEs in this package indicate systemic security debt, and the malicious skills ecosystem provides a realistic attacker pathway to initial session establishment, after which this vulnerability extends attacker dwell time past standard remediation.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw to 2026.4.8 (patched).
-
Restart the OpenClaw service post-upgrade to force termination of all pre-existing WebSocket sessions — do not rely on token rotation alone.
-
Monitor network traffic for unexpected persistent WebSocket connections to the OpenClaw gateway.
-
Audit installed ClawHub skills for malicious indicators (see AIID #1368).
-
If compromise is suspected, rotate all credentials accessible by the agent (API keys, OAuth tokens, local secrets) and review agent action logs for unauthorized activity.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-5h3f-885m-v22w?
OpenClaw's shared gateway token rotation fails to terminate existing WebSocket sessions, meaning an attacker who has already obtained session access retains it indefinitely even after the victim executes what should be a standard incident response action. Local AI agents like OpenClaw routinely have access to filesystem, code execution tools, and stored credentials — so a persistent unauthorized session is a meaningful foothold, not a cosmetic flaw. Context compounds the concern: this package carries 60 prior CVEs and is associated with a documented malicious skills ecosystem (AIID #1368, Feb 2026) where ~17% of third-party skills were assessed as malicious — suggesting the attacker pathway to obtaining an initial session is already well-trodden. Upgrade to openclaw 2026.4.8 immediately and restart the service to force-terminate all existing WebSocket sessions post-upgrade.
Is GHSA-5h3f-885m-v22w actively exploited?
No confirmed active exploitation of GHSA-5h3f-885m-v22w has been reported, but organizations should still patch proactively.
How to fix GHSA-5h3f-885m-v22w?
1. Upgrade openclaw to 2026.4.8 (patched). 2. Restart the OpenClaw service post-upgrade to force termination of all pre-existing WebSocket sessions — do not rely on token rotation alone. 3. Monitor network traffic for unexpected persistent WebSocket connections to the OpenClaw gateway. 4. Audit installed ClawHub skills for malicious indicators (see AIID #1368). 5. If compromise is suspected, rotate all credentials accessible by the agent (API keys, OAuth tokens, local secrets) and review agent action logs for unauthorized activity.
What systems are affected by GHSA-5h3f-885m-v22w?
This vulnerability affects the following AI/ML architecture patterns: local AI agent deployments, agent frameworks.
What is the CVSS score for GHSA-5h3f-885m-v22w?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0091.000 Application Access Token AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
Exploitation Scenario
An attacker compromises the OpenClaw shared gateway token via a malicious ClawHub skill (per AIID #1368 patterns), credential theft, or local access. They establish a WebSocket session before the victim detects the breach. The victim discovers the compromise and rotates the gateway token as the standard remediation step. Under versions <= 2026.4.1, the attacker's existing session remains fully authenticated and active — the rotation has no effect on live sessions. The attacker retains persistent command-and-control over the local AI agent, its tools, and accessible resources indefinitely until the service is restarted or the session is explicitly killed.
Weaknesses (CWE)
CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
- [Implementation] Set sessions/credentials expiration date.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw