Critical severity9.1GHSA Advisory· Published May 5, 2026· Updated May 7, 2026
CVE-2026-43534
CVE-2026-43534
Description
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.10 | 2026.4.10 |
Affected products
3Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29nvdPatchWEB
- github.com/advisories/GHSA-7g8c-cfr3-vqqrghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqrnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43534ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-eventsnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/pull/64372ghsaWEB
News mentions
0No linked articles in our index yet.