Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Ver en NVD

Análisis

OpenClaw is a niche engine or utility not widely adopted in the standard web or mobile development stacks. While the privilege escalation vulnerability is critical, the software's limited footprint within the community does not justify a broad alert.

Severidad

Puntaje: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-184

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Publicada: 6/5/2026, 20:16:33
Última modificación: 6/5/2026, 21:21:14

Referencias

InicioEventosBlogRecursosEquipo