📄 Description (English)
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
🤖 AI Executive Summary
OpenClaw versions before 2026.3.28 fail to properly terminate WebSocket sessions when user credentials are revoked or devices are removed, allowing attackers with revoked access to maintain unauthorized connections. This vulnerability (CVSS 8.1) poses significant risk to organizations using OpenClaw for device management and authentication. Immediate patching to version 2026.3.28 or later is critical to prevent persistent unauthorized access.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in critical sectors face significant risk: (1) Banking/SAMA-regulated institutions using OpenClaw for device authentication and API access control could experience unauthorized account access and transaction manipulation; (2) Government agencies and NCA-supervised entities managing sensitive systems could suffer persistent unauthorized access to classified networks; (3) Telecom operators (STC, Mobily, Zain) using OpenClaw for infrastructure management face risks to network integrity and customer data; (4) Healthcare providers managing medical devices and patient systems could experience HIPAA-equivalent compliance violations; (5) Energy sector (ARAMCO, SEC) managing critical infrastructure could face operational technology compromise. The vulnerability is particularly dangerous as revoked users remain connected indefinitely until forced reconnection.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Healthcare and Medical Devices
Energy and Utilities
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenClaw deployments in your environment and document current versions
2. Audit active WebSocket sessions and identify any connected users with revoked or suspended credentials
3. Force immediate disconnection of all active WebSocket sessions as emergency measure
4. Review access logs for the past 90 days to identify unauthorized session activity
PATCHING GUIDANCE:
1. Upgrade OpenClaw to version 2026.3.28 or later immediately
2. Test patches in non-production environment first
3. Schedule maintenance window for production deployment
4. Verify WebSocket session termination works correctly post-patch
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement forced WebSocket session timeout (maximum 1 hour)
2. Deploy network-level monitoring to detect anomalous WebSocket activity
3. Implement real-time credential revocation checks at application layer
4. Disable WebSocket functionality if not critical until patch applied
DETECTION RULES:
1. Monitor for WebSocket connections from users with revoked tokens in authentication logs
2. Alert on WebSocket sessions persisting >24 hours without activity
3. Track disconnect/reconnect patterns for same user across multiple sessions
4. Monitor for API calls from WebSocket sessions after credential revocation timestamp
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات OpenClaw في بيئتك وتوثيق الإصدارات الحالية
2. تدقيق جلسات WebSocket النشطة وتحديد أي مستخدمين متصلين ببيانات اعتماد ملغاة أو معلقة
3. فرض قطع الاتصال الفوري لجميع جلسات WebSocket النشطة كإجراء طوارئ
4. مراجعة سجلات الوصول لآخر 90 يوماً لتحديد نشاط الجلسة غير المصرح به
إرشادات التصحيح:
1. ترقية OpenClaw إلى الإصدار 2026.3.28 أو أحدث فوراً
2. اختبار التصحيحات في بيئة غير الإنتاج أولاً
3. جدولة نافذة صيانة لنشر الإنتاج
4. التحقق من عمل إنهاء جلسة WebSocket بشكل صحيح بعد التصحيح
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ انتهاء جلسة WebSocket القسري (الحد الأقصى ساعة واحدة)
2. نشر المراقبة على مستوى الشبكة لاكتشاف نشاط WebSocket الشاذ
3. تنفيذ فحوصات إلغاء بيانات الاعتماد في الوقت الفعلي على مستوى التطبيق
4. تعطيل وظيفة WebSocket إذا لم تكن حرجة حتى يتم تطبيق التصحيح
قواعد الكشف:
1. مراقبة اتصالات WebSocket من المستخدمين ذوي الرموز الملغاة في سجلات المصادقة
2. تنبيه جلسات WebSocket المستمرة >24 ساعة بدون نشاط
3. تتبع أنماط قطع الاتصال/إعادة الاتصال لنفس المستخدم عبر جلسات متعددة
4. مراقبة استدعاءات API من جلسات WebSocket بعد طابع زمني لإلغاء بيانات الاعتماد
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.6.2.1 - User access management and termination
ECC 2024 A.8.2.3 - Management of privileged access rights
ECC 2024 A.8.3.1 - Password management
ECC 2024 A.9.4.3 - Segregation of duties
ECC 2024 A.12.4.1 - Event logging and monitoring
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - Detection and Analysis
SAMA CSF RS.MI-2 - Incident Response and Management
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.9.2 - User access provisioning
ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default passwords
PCI DSS 6.2 - Security patches installation
PCI DSS 7.1 - Access control implementation
PCI DSS 8.1.4 - User access termination procedures
PCI DSS 10.2 - User access logging
🔗 References & Sources 3
🔗
https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv
disclosure@vulncheck.com
Vendor Advisory
🔗
https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
openclaw:openclaw