62 matches found
Spring Framework 5.3.x < 5.3.49 / 6.1.x < 6.1.28 / 6.2.x < 6.2.18.1 / 7.0.x < 7.0.7.1 Multiple Vulnerabilities
The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.49, 6.1.x prior to 6.1.28, 6.2.x prior to 6.2.18.1, or 7.0.x prior to 7.0.7.1. It is, therefore, affected by multiple vulnerabilities: - IDs for WebSocket sessions in the spring-websocket module are not...
CVE-2026-41838
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...
UBUNTU-CVE-2026-41838
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...
EUVD-2026-35325
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...
CVE-2026-41838
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...
PT-2026-47649
Name of the Vulnerable Software and Affected Versions Spring Framework versions 7.0.0 through 7.0.7 Spring Framework versions 6.2.0 through 6.2.18 Spring Framework versions 6.1.0 through 6.1.27 Spring Framework versions 5.3.0 through 5.3.48 Description WebSocket session IDs in the spring-websocke...
CVE-2026-42421
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token...
CVE-2026-42421
OpenClaw prior to 2026.4.8 suffers a session-management vulnerability in which existing WebSocket sessions persist after shared gateway token rotation. This allows an unauthorized party to maintain access to WebSocket connections even after token rotation, due to failure to disconnect existing sh...
CVE-2026-42421
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token...
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token...
OpenClaw 代码问题漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 had code vulnerabilities. These vulnerabilities stemmed from session management issues. Existing WebSocket sessions continued to exist after the shared gateway token rotation,...
EUVD-2026-25340
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356
OpenClaw is affected prior to version 2026.3.31 by an issue where active WebSocket sessions are not terminated during device token rotation. The underlying cause is incomplete termination of WebSocket sessions when rotating tokens. This allows attackers who already have credentials to retain unau...
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
OpenClaw 代码问题漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 had code vulnerabilities. These vulnerabilities stemmed from failing to terminate WebSocket sessions during token rotation. Attackers who had previously leaked credentials...
Insufficient Session Expiration
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to terminate existing WebSocket sessions upon shared gateway token rotation. An attacker can maintain unauthorized access to an active...
GHSA-5H3F-885M-V22W OpenClaw: Existing WS sessions survive shared gateway token rotation
Impact Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant...