Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

View on NVD

Analysis

OpenClaw is a niche engine or utility not widely adopted in the standard web or mobile development stacks. While the privilege escalation vulnerability is critical, the software's limited footprint within the community does not justify a broad alert.

Severity

Score: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-184

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Published: 5/6/2026, 8:16:33 PM
Last modified: 5/6/2026, 9:21:14 PM

References

HomeEventsBlogResourcesTeam