CVE-2026-34503 Overview
CVE-2026-34503 is an Insufficient Session Expiration vulnerability (CWE-613) in OpenClaw, a Node.js-based application. The vulnerability exists in versions prior to 2026.3.28 where the application fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. This flaw allows attackers with revoked credentials to maintain unauthorized access through existing live sessions until a forced reconnection occurs.
Critical Impact
Attackers with revoked credentials can maintain persistent unauthorized access through established WebSocket connections, effectively bypassing token revocation and device removal security controls.
Affected Products
- OpenClaw versions prior to 2026.3.28
- OpenClaw for Node.js (all affected versions)
Discovery Timeline
- 2026-03-31 - CVE-2026-34503 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34503
Vulnerability Analysis
This vulnerability represents a classic insufficient session expiration flaw where the WebSocket session lifecycle is not properly tied to the authentication token lifecycle. When an administrator removes a device or revokes an authentication token, the intended security action is to immediately terminate all access for that credential. However, OpenClaw's gateway component failed to propagate this revocation to active WebSocket connections.
The core issue is that WebSocket connections, once established, maintained their authenticated state independently of the underlying token's validity. This architectural gap creates a window where security controls can be circumvented by attackers who establish a persistent connection before their credentials are revoked.
Root Cause
The root cause lies in the gateway's device management methods not triggering session disconnection when device pairings are removed or tokens are rotated. The device.pairing.remove and related handlers would successfully invalidate tokens at the authentication layer but failed to propagate this invalidation to the WebSocket connection manager, leaving established sessions active and authenticated.
Attack Vector
This vulnerability is exploitable over the network with low attack complexity. An attacker who has obtained valid credentials (either legitimately or through compromise) can establish a WebSocket connection. If the legitimate owner or administrator subsequently revokes the token or removes the device, the attacker's existing WebSocket session remains active and authenticated. The attacker can continue to interact with the system through this persistent connection until the application is restarted or the connection is otherwise forcibly terminated.
The security patch introduces session termination logic that properly disconnects clients when their associated devices are removed:
}
context.logGateway.info(`device pairing removed device=${removed.deviceId}`);
respond(true, removed, undefined);
+ queueMicrotask(() => {
+ context.disconnectClientsForDevice?.(removed.deviceId);
+ });
},
"device.token.rotate": async ({ params, respond, context, client }) => {
if (!validateDeviceTokenRotateParams(params)) {
Source: GitHub Commit Reference
The fix also adds the necessary type definition for the disconnect function:
nodeUnsubscribeAll: (nodeId: string) => void;
hasConnectedMobileNode: () => boolean;
hasExecApprovalClients?: (excludeConnId?: string) => boolean;
+ disconnectClientsForDevice?: (deviceId: string, opts?: { role?: string }) => void;
nodeRegistry: NodeRegistry;
agentRunSeq: Map<string, number>;
chatAbortControllers: Map<string, ChatAbortControllerEntry>;
Source: GitHub Commit Reference
Detection Methods for CVE-2026-34503
Indicators of Compromise
- WebSocket connections that remain active after their associated device has been removed from the system
- Sessions continuing to perform authenticated actions with tokens that have been revoked in the authentication database
- Unusual persistence of connections from specific device IDs after administrative removal actions
Detection Strategies
- Monitor for discrepancies between active WebSocket sessions and valid device registrations in the database
- Implement logging that correlates device removal events with WebSocket disconnection events to identify sessions that persist after revocation
- Audit authentication logs for actions performed by tokens that were revoked but associated with still-active WebSocket connections
Monitoring Recommendations
- Implement real-time monitoring of WebSocket connection states and cross-reference with the device registry
- Set up alerts for device removal or token revocation events that are not followed by corresponding session termination within a short timeframe
- Review gateway logs for the device pairing removed message and verify corresponding session disconnections
How to Mitigate CVE-2026-34503
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.28 or later immediately
- Restart all OpenClaw gateway instances to force termination of any potentially compromised persistent WebSocket sessions
- Review device and token revocation logs to identify any devices that were removed prior to patching and may still have active sessions
- Audit for any unauthorized actions that may have occurred through persistent sessions
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.28. The fix introduces the disconnectClientsForDevice function that is called asynchronously via queueMicrotask() when a device pairing is removed, ensuring all associated WebSocket clients are properly disconnected. The patch is available through the GitHub Commit. Additional details are available in the GitHub Security Advisory GHSA-2pr2-hcv6-7gwv.
Workarounds
- If immediate patching is not possible, implement scheduled restarts of gateway services to periodically force reconnection of all WebSocket clients
- Consider implementing network-level session termination when device removal or token revocation events are detected
- Monitor active WebSocket connections closely and manually terminate suspicious persistent sessions associated with removed devices
# Restart OpenClaw gateway to force session termination
systemctl restart openclaw-gateway
# Or if running with npm/node directly
pm2 restart openclaw-gateway
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
