CVE-2026-34503
Published: 31 March 2026
Summary
CVE-2026-34503 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 mandates automatic termination of user sessions upon organization-defined trigger events such as token revocation or device removal, directly preventing persistent unauthorized WebSocket access.
IA-5 requires procedures for revoking authenticators like tokens and ensuring they are invalidated promptly, addressing the failure to invalidate associated WebSocket sessions.
AC-2 enforces timely disabling and management of accounts or associated devices upon revocation, which supports termination of linked persistent sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables persistent WebSocket access after token revocation, directly facilitating use of external remote services (T1133) and abuse of stale valid accounts/sessions (T1078).
NVD Description
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
Deeper analysisAI
CVE-2026-34503 is a vulnerability in OpenClaw versions prior to 2026.3.28, where the software fails to disconnect active WebSocket sessions when associated devices are removed or authentication tokens are revoked. This issue, tied to CWE-613 (Insufficient Session Expiration), allows persistent connections despite credential invalidation. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), reflecting high severity due to its network accessibility, low complexity, and potential for significant confidentiality and integrity impacts.
Attackers require low privileges (PR:L) to initially establish a session but can exploit the flaw remotely over the network with no user interaction. Once credentials are revoked or devices removed, the attacker maintains unauthorized access through existing live WebSocket sessions until a forced reconnection disrupts them, enabling prolonged unauthorized actions with high confidentiality and integrity consequences.
Advisories recommend upgrading to OpenClaw 2026.3.28 or later, which includes the fixing commit 7a801cc451e9e667b705eeccff651923a1b8c863. Additional guidance appears in the GitHub security advisory at GHSA-2pr2-hcv6-7gwv and the VulnCheck advisory on incomplete WebSocket session termination.
Details
- CWE(s)