CVE-2026-43578

Summary

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw2026.3.31 < 2026.4.10affected
OpenClawOpenClaw2026.4.10unaffected

Weaknesses

  • CWE-184: CWE-184: Incomplete List of Disallowed Inputs

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References