CVE-2026-43578
CriticalSummary
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
Risk Assessment
Organizations may be exposed to unauthorized access to more privileged resources, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update OpenClaw to version 2026.4.10 or later to mitigate this vulnerability and implement additional security measures to monitor and restrict access to the system.
Original NVD description (English source)
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

