Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-43566: OpenClaw versions 2026.4.7 to 2026.4.13 have a security flaw that lets attackers gain extra access
CVE-2026-43566
Summary
OpenClaw versions 2026.4.7 to 2026.4.13 are affected. This means attackers can send fake messages that trick the system into giving them more access than they should have. To stay safe, update to version 2026.4.14 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| openclaw | openclaw |
>= 2026.4.7, < 2026.4.14 cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* |
Original title
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can ex...
Original description
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
nvd CVSS3.1
9.1
nvd CVSS4.0
9.1
Vulnerability type
CWE-184
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 5 May 2026