Home / Vulnerability Intelligence / CVE-2026-43566

CVE-2026-43566 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 5, 2026

OpenClaw - Privilege Escalation

Published: May 5, 2026Updated: May 5, 2026Remote Exploitable

Overview

OpenClaw 2026.4.7 < 2026.4.14 contains a privilege escalation vulnerability caused by heartbeat owner downgrade logic skipping webhook wake events with untrusted content, letting attackers preserve owner-like execution context, exploit requires sending untrusted webhook wake events.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can escalate privileges by preserving owner-like execution context, potentially gaining unauthorized access or control.

Mitigation

Upgrade to version 2026.4.14 or later.

References

https://github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42
https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-43566
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: new

CWE

CWE-184

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N