Privilege Escalation Vulnerability in OpenClaw by OpenClaw
CVE-2026-43578

9.1CRITICAL

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43578?

OpenClaw versions up to 2026.3.31 are exposed to a privilege escalation vulnerability due to a flaw in the heartbeat owner downgrade detection mechanism. This issue arises from the failure to adequately track local background asynchronous execution completion events. Attackers can exploit this oversight to introduce untrusted completion content, potentially allowing them to execute code with elevated privileges beyond the intended context. Users of affected OpenClaw versions are advised to upgrade to version 2026.4.10 or later to mitigate this risk.

Affected Version(s)

OpenClaw 2026.3.31 < 2026.4.10

OpenClaw 2026.4.10

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/19a2e9ddb5a8a...

patch

https://www.vulncheck.com/advisories/openclaw-privilege-e...

third-party-advisory

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 1, 2026

Credit

zsx (@zsxsoft)

qclawer

KeenSecurityLab

CVE-2026-43578 Data

JSON