CVE Catalog

CVE-2026-43566

Critical
Published: Translated: NVD NIST

Summary

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.

Risk Assessment

This vulnerability may lead to unauthorized access to system resources, posing a serious security threat to the organization. Attackers could gain privileges that should not be granted to them.

Recommendation

It is recommended to update OpenClaw to version 2026.4.14 or later to mitigate this vulnerability. Additionally, conducting a security audit of webhooks is advisable to minimize risk.

Original NVD description (English source)

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS