GHSA-wwc3-c577-533m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wwc3-c577-533m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wwc3-c577-533m/GHSA-wwc3-c577-533m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wwc3-c577-533m
- Downstream
- Withdrawn
- 2026-05-04T21:59:59Z
- Published
- 2026-04-24T00:31:52Z
- Modified
- 2026-05-05T16:11:36.629384Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rfqg-qgf8-xr9x. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-04T21:59:59Z", "nvd_published_at": "2026-04-23T22:16:43Z", "severity": "LOW", "cwe_ids": [ "CWE-613" ] }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x
- https://nvd.nist.gov/vuln/detail/CVE-2026-41356
- https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
- https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw