CVE-2026-43566
CriticalSummary
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
Risk Assessment
This vulnerability may lead to unauthorized access to system resources, posing a serious security threat to the organization. Attackers could gain privileges that should not be granted to them.
Recommendation
It is recommended to update OpenClaw to version 2026.4.14 or later to mitigate this vulnerability. Additionally, conducting a security audit of webhooks is advisable to minimize risk.
Original NVD description (English source)
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.

