OpenClaw WebSocket Session Persistence Vulnerability via Shared Gateway Token Rotation
Vulnerability
A session management vulnerability has been identified in OpenClaw versions prior to 2026.4.8. This vulnerability allows existing WebSocket sessions to remain active even after the shared gateway token has been rotated. As a result, attackers can exploit this oversight to maintain unauthorized access to WebSocket connections, taking advantage of the failure to disconnect sessions associated with the old token.
Impact
The vulnerability leads to insufficient session expiration, allowing WebSocket sessions to persist after token rotation, which could be exploited to maintain unauthorized access to those sessions.
Reproduction
The vulnerability can be reproduced by establishing a WebSocket connection that uses a shared gateway token. After the token is rotated, the WebSocket session remains active, demonstrating that the rotation did not disconnect the session as it should have.
Remediation
Users can update to OpenClaw version 2026.4.8 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.