OpenClaw WebSocket Session Hijacking Vulnerability After Device Removal or Token Revocation
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.3.28 allows WebSocket sessions to remain active even after a device is removed or its token is revoked. This issue enables attackers with revoked credentials to retain unauthorized access through existing live sessions until a forced reconnection occurs.
Impact
Exploitation of this vulnerability allows for unauthorized access to be maintained through active WebSocket sessions, even after credentials have been revoked.
Reproduction
The vulnerability can be reproduced by removing a paired device or revoking its token, which updates the stored credentials but does not disconnect the active WebSocket session. As a result, the device can continue to access the application through the open WebSocket connection until it is manually disconnected or reconnected.
Remediation
Users can update to OpenClaw version 2026.3.28 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.