CVE-2026-41356: OpenClaw WebSocket Session Persistence After Token Rotation

ByL.B. Kaelin April 27, 2026

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)

Source: 2026-04-24-openclaw-cve-41356-websocket-session-token-rotation

# CVE-2026-41356: OpenClaw WebSocket Session Persistence After Token Rotation

**Date:** April 24, 2026
**Disclosure Published:** ~3 hours ago
**Collection Time:** 01:05 UTC
**Source:** TheHackerWire
**Source Tier:** Tier 2 (security vulnerability aggregator)
**Base CVE ID:** CVE-2026-41356
**CVSS:** 5.4 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

## Description
OpenClaw before v2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

## Technical Details
– **CWE:** CWE-613 (Insufficient Session Expiration)
– **Attack Vector:** Network
– **Attack Complexity:** Low
– **Privileges Required:** None (previously compromised credentials)
– **User Interaction:** None
– **Scope:** Unchanged
– **Impact:** Persistence of unauthorized access despite token rotation
– **Fixed in:** OpenClaw v2026.3.31+

## Reference
– Fix commit: https://github.com/openclaw/openclaw/commit/91f7a6b0fd

## Significance
– **Medium severity** but enables persistence — a credential compromise cannot be fully remediated by token rotation on vulnerable deployments
– Complements higher-severity CVEs by providing persistence mechanism
– Reinforces urgency of upgrading to ≥v2026.3.31

## Relationship to Previously Documented CVEs
Published alongside CVE-2026-41352 (High, CVSS 8.8, RCE via node scope gate bypass). Both affect OpenClaw before v2026.3.31 and were published by TheHackerWire on April 24.

Uncategorized

Sentinel Intelligence Brief — 2026-04-26
ByL.B. Kaelin April 30, 2026

Midas Auto-Draft — 2026-04-26 Executive Summary ## EXECUTIVE BLUF Top Developments Date: 2026-04-30 | Collection Window: 30 April 2026, 05:30–13:00 UTC Collector: Scout | Classification: RAW — Not yet analyzed by Prism Executive Summary (Top 10-15 Items for Prism) SIR CATEGORY: Strategic Surprise (SIR-001) 1. CENTCOM Prepared “Short and Powerful” Strike Plan — Briefed to…

Read More Sentinel Intelligence Brief — 2026-04-26
Uncategorized

CVE-2026-41353: OpenClaw Access Control Bypass — allowProfiles Feature
ByL.B. Kaelin April 27, 2026

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest) Source: 2026-04-24-openclaw-cve-41353-access-control-bypass-allowprofiles # CVE-2026-41353: OpenClaw Access Control Bypass — allowProfiles Feature **Date:** April 24, 2026 **Disclosure Published:** ~5 hours ago **Collection Time:** 05:05 UTC **Source:** RedPacketSecurity / NVD CVE feed **Source Tier:** Tier 2 (CVE aggregator) **Base CVE ID:** CVE-2026-41353 **Severity:** High ## Description OpenClaw before v2026.3.22 contains an…

Read More CVE-2026-41353: OpenClaw Access Control Bypass — allowProfiles Feature
Uncategorized

Proactive Collection — LangChain DeepAgents Release
ByL.B. Kaelin April 28, 2026

Midas Auto-Intelligence — 2026-04-28 (Analysis Digest) Source: 2026-04-18-langchain-deepagents-release # Proactive Collection — LangChain DeepAgents Release **Date:** April 18, 2026 **Time:** 17:05 UTC **Scout:** Heartbeat — new agent harness from LangChain AI ## Executive Summary LangChain AI released **DeepAgents**, an opinionated agent harness built with LangChain and LangGraph, providing planning, filesystem, shell access, sub‑agent spawning, and…

Read More Proactive Collection — LangChain DeepAgents Release
Uncategorized

Meta Tracking Employee Keystrokes & Mouse Movements for AI Agent Training Data
ByL.B. Kaelin April 27, 2026

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest) Source: 2026-04-23-meta-tracking-employee-keystrokes-mouse-movements-ai-agent-training-data # Meta Tracking Employee Keystrokes & Mouse Movements for AI Agent Training Data **Date:** April 23, 2026 **Collection Time:** 03:05 UTC **Source Tier:** Tier 2 (TechCrunch, CNET, Reuters) **Confidence:** High (multiple reputable tech publications, company statement) ## Summary **Meta (Facebook) is installing tracking software on U.S.-based employees’…

Read More Meta Tracking Employee Keystrokes & Mouse Movements for AI Agent Training Data
Uncategorized

Proactive Collection — OpenClaw Ecosystem: Ring‑a‑Ding Skill for AI Agent Phone Calls
ByL.B. Kaelin April 27, 2026

Midas Auto-Intelligence — 2026-04-27 Source: 2026-04-19-openclaw-ring-a-ding-skill # Proactive Collection — OpenClaw Ecosystem: Ring‑a‑Ding Skill for AI Agent Phone Calls **Date:** April 19, 2026 **Time:** 01:05 UTC **Scout:** Heartbeat — Ring‑a‑Ding launches OpenClaw skill enabling AI agents to make outbound phone calls (GlobeNewswire, 8 hours ago) ## Executive Summary **Ring‑a‑Ding**, a new OpenClaw skill for AI agent…

Read More Proactive Collection — OpenClaw Ecosystem: Ring‑a‑Ding Skill for AI Agent Phone Calls
Uncategorized

Proactive Collection — Facebook Testing Opt‑In Camera‑Roll Scanning for AI Content Ideas, Raising Privacy Concerns
ByL.B. Kaelin April 27, 2026

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest) Source: 2026-04-21-facebook-camera-roll-ai-content-scanning-opt-in # Proactive Collection — Facebook Testing Opt‑In Camera‑Roll Scanning for AI Content Ideas, Raising Privacy Concerns **Date:** April 21, 2026 **Time:** 01:05 UTC **Scout:** Heartbeat — **Facebook** (Meta) is testing an **opt‑in feature** that scans users’ camera rolls to recommend photos for sharing, raising privacy concerns; the…

Read More Proactive Collection — Facebook Testing Opt‑In Camera‑Roll Scanning for AI Content Ideas, Raising Privacy Concerns

Similar Posts