CVE-2026-42421: OpenClaw: Existing WS sessions survive shared gateway token rotation

April 9, 2026 (updated April 28, 2026)

Existing WS sessions survive shared gateway token rotation.

Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

References

github.com/advisories/GHSA-5h3f-885m-v22w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w
nvd.nist.gov/vuln/detail/CVE-2026-42421

Code Behaviors & Features

Detect and mitigate CVE-2026-42421 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →