CVE-2026-43583
OpenClaw Session Context Bypass via Media Queue Recovery
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.4.10 (inc) to 2026.4.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects OpenClaw versions 2026.4.10 before 2026.4.14. The software fails to persist session context during delivery queue recovery for media replay. As a result, attackers can exploit the recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after the service restarts or recovers.
How can this vulnerability impact me? :
The impact of this vulnerability is that attackers may bypass security policies related to group tools and media channel restrictions. This can lead to unauthorized media being delivered or replayed after a service restart or recovery, potentially compromising the intended controls and security measures in place.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.14 or newer.
The fixed version persists the relevant session context with delivery queue entries to ensure recovered media dispatch undergoes the same group tool policy checks, preventing attackers from bypassing policy enforcement.