3 matches found
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the device.token.rotate function. An attacker can obtain unauthorized access to roles or scopes by rotating device tokens without the required pairing approval...
GHSA-WHF9-3HCX-GQ54 OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
Impact OpenClaw device.token.rotate mints tokens for unapproved roles, bypassing device role-upgrade pairing. Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval. OpenClaw is a user-controlled local assistant. This advisory is scoped t...
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Summary Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a...