CVE Catalog

CVE-2026-43578

Critical
Published: Translated: NVD NIST

Summary

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Risk Assessment

Organizations may be exposed to unauthorized access to more privileged resources, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to update OpenClaw to version 2026.4.10 or later to mitigate this vulnerability and implement additional security measures to monitor and restrict access to the system.

Original NVD description (English source)

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS