🚨 BREAKING

CVE-2026-43566: OpenClaw Privilege Escalation via Untrusted Webhook Events

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityprivilege-escalationcwe-184
CVE-2026-43566: OpenClaw Privilege Escalation via Untrusted Webhook Events

The National Vulnerability Database has identified CVE-2026-43566, a critical privilege escalation vulnerability (CVSS 9.1) affecting OpenClaw versions prior to 2026.4.14. The flaw stems from improper handling of webhook wake events, where the system fails to correctly downgrade execution context when processing untrusted content. This bypasses intended security checks, allowing an attacker to maintain elevated privileges.

Attackers can exploit this by sending specially crafted, untrusted webhook events. The vulnerability lies in the heartbeat owner downgrade logic, which incorrectly preserves an owner-like execution context instead of downgrading it as intended when processing these events. This allows for unauthorized privilege escalation, giving attackers broader access than they should have.

Defenders must prioritize patching OpenClaw installations to version 2026.4.14 or later immediately. Organizations should also audit their systems for any signs of exploitation, particularly focusing on webhook event logs and unusual privilege escalations around the time of event processing.

What This Means For You

  • If your organization uses OpenClaw, you must patch immediately to version 2026.4.14 or later. This vulnerability allows unauthenticated attackers to escalate privileges, potentially leading to full system compromise. Review your webhook configurations and audit logs for any suspicious activity related to event processing.

Indicators of Compromise

IDTypeIndicator
CVE-2026-43566 Privilege Escalation OpenClaw versions before 2026.4.14
CVE-2026-43566 Privilege Escalation OpenClaw heartbeat owner downgrade logic
CVE-2026-43566 Privilege Escalation Skipping webhook wake events carrying untrusted content

Written by SCW Vulnerability Desk

🔎
Check OpenClaw exposure to CVE-2026-43566 Use /org OpenClaw to see related threats and vulnerabilities.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed

CVE-2026-7833 — A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 2 IOCs /⚙ 3 Sigma

IObit Advanced SystemCare 19: High-Severity Symlink Following Vulnerability (CVE-2026-7832)

CVE-2026-7832 — A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component...

vulnerabilityCVEhigh-severitycwe-59cwe-61
/SCW Vulnerability Desk /HIGH /7 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-30246 — Fiber is a web framework for Go. In

CVE-2026-30246 — Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma