CVE-2026-42421— OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42421
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenClaw 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenClaw是OpenClaw开源的一个智能人工助理。 OpenClaw 2026.4.8之前版本存在代码问题漏洞,该漏洞源于会话管理问题,现有WebSocket会话在共享网关令牌轮换后仍然存活,可能导致攻击者在令牌轮换后利用未断开现有共享令牌会话的缺陷维持未授权访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42421
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42421
请登录查看更多情报信息。
Patch · 1Advisory · 2
Same Patch Batch · OpenClaw · 2026-04-28 · 53 CVEs total
| CVE-2026-41386 | 9.1 CRITICAL | OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes |
| CVE-2026-41404 | 8.8 HIGH | OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authenticatio |
| CVE-2026-41378 | 8.8 HIGH | OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node |
| CVE-2026-42426 | 8.8 HIGH | OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope |
| CVE-2026-42422 | 8.8 HIGH | OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function |
| CVE-2026-41914 | 8.5 HIGH | OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths |
| CVE-2026-41394 | 8.2 HIGH | OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth R |
| CVE-2026-41383 | 8.1 HIGH | OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths |
| CVE-2026-42431 | 8.1 HIGH | OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass |
| CVE-2026-41384 | 7.8 HIGH | OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend |
| CVE-2026-41396 | 7.8 HIGH | OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root |
| CVE-2026-41387 | 7.8 HIGH | OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitizati |
| CVE-2026-42432 | 7.8 HIGH | OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass |
| CVE-2026-41912 | 7.6 HIGH | OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered |
| CVE-2026-41399 | 7.5 HIGH | OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades |
| CVE-2026-41405 | 7.5 HIGH | OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsi |
| CVE-2026-42423 | 7.5 HIGH | OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallb |
| CVE-2026-41395 | 7.5 HIGH | OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3 |
| CVE-2026-41380 | 7.3 HIGH | OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables |
| CVE-2026-41390 | 7.3 HIGH | OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper |
Showing top 20 of 53 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: OpenClaw
- CVE-2026-45006
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway To - CVE-2026-45005
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invali - CVE-2026-45004
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-ap - CVE-2026-45002
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template - CVE-2026-45003
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via
Same vendor: OpenClaw
- CVE-2026-8634
Crabbox < v0.12.0 Environment Variable Information Disclosur - CVE-2026-8629
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endp - CVE-2026-8621
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing - CVE-2026-45224
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace R - CVE-2026-45223
Crabbox < 0.9.0 Authentication Bypass via Admin Claim Inject
Same weakness: CWE-613
- CVE-2026-44553
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enabl - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sess - CVE-2026-44511
Katalyst Koi: Session cookies can be replayed after user log - CVE-2026-43911
Vaultwarden: Refresh tokens not invalidated on security stam - CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un
V. Comments for CVE-2026-42421
No comments yet