VYPR
Get started
← All advisories
Critical severity9.1NVD Advisory· Published May 6, 2026· Updated May 7, 2026

CVE-2026-43578

CVE-2026-43578

Description

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Affected products

2
  • OpenClaw/Openclaw2 versions
    cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*+ 1 more
    • cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*range: >=2026.3.31,<2026.4.10
    • (no CPE)

Patches

1
19a2e9ddb5a8

fix(infra): extend exec completion detection to cover local background exec formats [AI-assisted] (#64376)

https://github.com/openclaw/openclawMichael AppelApr 10, 2026via nvd-ref
commit
3 files changed · +20 2
  • CHANGELOG.md+1 0 modified
    @@ -124,6 +124,7 @@ Docs: https://docs.openclaw.ai
 - Browser/sandbox: gate `/sandbox/novnc` behind bridge auth and stop surfacing sandbox observer URLs in model-visible prompt context. (#63882) Thanks @eleqtrizit.
 
 - Discord/sandbox: include `image` in sandbox media param normalization so Discord event cover images cannot bypass sandbox path rewriting. (#64377) Thanks @mmaps.
+- Agents/exec: extend exec completion detection to cover local background exec formats so the owner-downgrade fires correctly for all exec paths. (#64376) Thanks @mmaps.
 ## 2026.4.9
 
 ### Changes
  • src/infra/heartbeat-events-filter.test.ts+12 1 modified
    @@ -71,7 +71,13 @@ describe("heartbeat event prompts", () => {
 describe("heartbeat event classification", () => {
   it.each([
     { value: "exec finished: ok", expected: true },
-    { value: "Exec Finished: failed", expected: true },
+    { value: "Exec finished (node=abc, code 0)", expected: true },
+    { value: "Exec Finished (node=abc, code 1)", expected: true },
+    { value: "Exec completed (abc12345, code 0) :: some output", expected: true },
+    { value: "Exec failed (abc12345, signal SIGTERM) :: error output", expected: true },
+    { value: "Exec completed (rotate api keys)", expected: false },
+    { value: "Exec failed: notify me if this happens", expected: false },
+    { value: "Reminder: if exec failed, notify me", expected: false },
     { value: "cron finished", expected: false },
   ])("classifies exec completion events for %j", ({ value, expected }) => {
     expect(isExecCompletionEvent(value)).toBe(expected);
@@ -87,6 +93,11 @@ describe("heartbeat event classification", () => {
     { value: "heartbeat poll: noop", expected: false },
     { value: "heartbeat wake: noop", expected: false },
     { value: "exec finished: ok", expected: false },
+    { value: "Exec finished (node=abc, code 0)", expected: false },
+    { value: "Exec completed (abc12345, code 0) :: some output", expected: false },
+    { value: "Exec failed (abc12345, signal SIGTERM) :: error output", expected: false },
+    { value: "Exec completed (rotate api keys)", expected: true },
+    { value: "Reminder: if exec failed, notify me", expected: true },
   ])("classifies cron system events for %j", ({ value, expected }) => {
     expect(isCronSystemEvent(value)).toBe(expected);
   });
  • src/infra/heartbeat-events-filter.ts+7 1 modified
    @@ -85,7 +85,13 @@ function isHeartbeatNoiseEvent(evt: string): boolean {
 }
 
 export function isExecCompletionEvent(evt: string): boolean {
-  return normalizeLowercaseStringOrEmpty(evt).includes("exec finished");
+  const normalized = normalizeLowercaseStringOrEmpty(evt).trimStart();
+  return (
+    /^exec finished(?::|\s*\()/.test(normalized) ||
+    /^exec (completed|failed) \([a-z0-9_-]{1,64}, (code -?\d+|signal [^)]+)\)( :: .*)?$/.test(
+      normalized,
+    )
+  );
 }
 
 // Returns true when a system event should be treated as real cron reminder content.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.