GHSA-rfqg-qgf8-xr9x: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation

April 3, 2026 (updated April 6, 2026)

Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation

References

github.com/advisories/GHSA-rfqg-qgf8-xr9x
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d
github.com/openclaw/openclaw/releases/tag/v2026.3.31
github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x

Code Behaviors & Features

Detect and mitigate GHSA-rfqg-qgf8-xr9x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →