Critical severity9.1GHSA Advisory· Published May 5, 2026· Updated May 7, 2026
CVE-2026-43566
CVE-2026-43566
Description
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | >= 2026.4.7, < 2026.4.14 | 2026.4.14 |
Affected products
3Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42nvdPatchWEB
- github.com/advisories/GHSA-g2hm-779g-vm32ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43566ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-eventsnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/pull/66031ghsaWEB
News mentions
0No linked articles in our index yet.