CVE-2026-43566
Privilege Escalation in OpenClaw via Untrusted Webhook Wake Events
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.4.7 (inc) to 2026.4.14 (exc) |
| openclaw | openclaw | From 2026.4.14 (inc) |
| openclaw | openclaw | to 2026.4.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43566 is a privilege escalation vulnerability in OpenClaw versions 2026.4.7 through 2026.4.13. The issue arises because the heartbeat owner downgrade logic incorrectly skips webhook wake events that contain untrusted content. This flaw allows attackers to send malicious webhook wake events that preserve an owner-like execution context, meaning the system mistakenly retains elevated privileges when it should have downgraded them.
The vulnerability is caused by incomplete input validation in the heartbeat owner downgrade logic, which fails to properly handle untrusted webhook wake events. This results in unauthorized privilege escalation by retaining elevated execution privileges.
The issue was fixed in OpenClaw version 2026.4.14 by ensuring that untrusted webhook wake events trigger the proper downgrade of privileges.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges within the OpenClaw system by exploiting untrusted webhook wake events. Specifically, attackers can maintain an owner-like execution context when the system should have downgraded their privileges, potentially enabling unauthorized actions or access.
Such unauthorized privilege escalation can lead to compromise of system integrity, unauthorized access to sensitive functions or data, and potentially further exploitation within the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves untrusted webhook wake events that preserve elevated execution context when they should be downgraded. Detection would involve monitoring webhook wake events for untrusted or suspicious content that bypasses the owner downgrade logic.
Since the vulnerability is related to webhook wake events carrying untrusted content, you can inspect logs or webhook event payloads for unusual or unexpected system events marked as untrusted.
Specific commands are not provided in the available resources, but general approaches include:
- Review OpenClaw webhook event logs for entries containing "System (untrusted):" or similar markers indicating untrusted system events.
- Use log analysis tools or grep commands to search for untrusted webhook wake events, for example: `grep -i 'System (untrusted):' /path/to/openclaw/logs`.
- Monitor for webhook wake events that result in owner-like execution context preservation when it should have been downgraded.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade OpenClaw to version 2026.4.14 or later, as this version includes the patch that fixes the vulnerability.
The fix ensures that untrusted webhook wake events trigger proper owner downgrade logic, preventing privilege escalation.
Until the upgrade can be applied, consider restricting or validating incoming webhook wake events to block untrusted or suspicious content that could exploit this flaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-43566 on compliance with common standards and regulations such as GDPR or HIPAA.