Medium severity6.8GHSA Advisory· Published May 5, 2026· Updated May 7, 2026
CVE-2026-43535
CVE-2026-43535
Description
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.14 | 2026.4.14 |
Affected products
3Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69nvdPatchWEB
- github.com/advisories/GHSA-jwrq-8g5x-5fhmghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhmnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43535ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batchesnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/pull/66024ghsaWEB
News mentions
0No linked articles in our index yet.