CVE-2026-43566
Undergoing Analysis Undergoing Analysis - In Progress
Privilege Escalation in OpenClaw via Untrusted Webhook Wake Events

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43566
EUVD
EUVD-2026-27283
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.4.7 (inc) to 2026.4.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-43566 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-43566 is a privilege escalation vulnerability in OpenClaw versions 2026.4.7 through 2026.4.13. The issue arises because the heartbeat owner downgrade logic incorrectly skips webhook wake events that contain untrusted content. This flaw allows attackers to send malicious webhook wake events that preserve an owner-like execution context, meaning the system mistakenly retains elevated privileges when it should have downgraded them.

The vulnerability is caused by incomplete input validation in the heartbeat owner downgrade logic, which fails to properly handle untrusted webhook wake events. This results in unauthorized privilege escalation by retaining elevated execution privileges.

The issue was fixed in OpenClaw version 2026.4.14 by ensuring that untrusted webhook wake events trigger the proper downgrade of privileges.

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges within the OpenClaw system by exploiting untrusted webhook wake events. Specifically, attackers can maintain an owner-like execution context when the system should have downgraded their privileges, potentially enabling unauthorized actions or access.

Such unauthorized privilege escalation can lead to compromise of system integrity, unauthorized access to sensitive functions or data, and potentially further exploitation within the affected environment.

Detection Guidance

This vulnerability involves untrusted webhook wake events that preserve elevated execution context when they should be downgraded. Detection would involve monitoring webhook wake events for untrusted or suspicious content that bypasses the owner downgrade logic.

Since the vulnerability is related to webhook wake events carrying untrusted content, you can inspect logs or webhook event payloads for unusual or unexpected system events marked as untrusted.

Specific commands are not provided in the available resources, but general approaches include:

  • Review OpenClaw webhook event logs for entries containing "System (untrusted):" or similar markers indicating untrusted system events.
  • Use log analysis tools or grep commands to search for untrusted webhook wake events, for example: `grep -i 'System (untrusted):' /path/to/openclaw/logs`.
  • Monitor for webhook wake events that result in owner-like execution context preservation when it should have been downgraded.
Mitigation Strategies

The primary and immediate mitigation step is to upgrade OpenClaw to version 2026.4.14 or later, as this version includes the patch that fixes the vulnerability.

The fix ensures that untrusted webhook wake events trigger proper owner downgrade logic, preventing privilege escalation.

Until the upgrade can be applied, consider restricting or validating incoming webhook wake events to block untrusted or suspicious content that could exploit this flaw.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart