Description
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
Published: 2026-05-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to elevate privileges by sending specially crafted untrusted webhook wake events that bypass the heartbeat owner downgrade logic, giving them execution context equivalent to the owner. This flaw originates from a weakness in the heartbeat module and is classified as CWE-184, enabling code execution with elevated rights without proper authentication.

Affected Systems

OpenClaw OpenClaw versions 2026.4.7 through 2026.4.13 are impacted, as the heartbeat owner downgrade logic in these releases incorrectly skips untrusted webhook wake events.

Risk and Exploitability

The CVSS score of 9.1 signals a critical risk level. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, which may indicate limited known exploitation. The attack vector is inferred to be remote via the webhook interface, allowing an adversary to send malicious wake events that gain owner‑like execution privileges.

Generated by OpenCVE AI on May 5, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.14 or later to include the fixed heartbeat logic.
  • If an immediate upgrade is not feasible, apply the vendor‑provided patch from the commit reference to correct the owner downgrade check for webhook wake events.
  • Configure the webhook system to accept wake events only from authenticated, trusted sources, or disable wake events entirely until the patch is applied.

Generated by OpenCVE AI on May 5, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g2hm-779g-vm32 OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
Title OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-184
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T14:34:42.324Z

Reserved: 2026-05-01T16:58:23.116Z

Link: CVE-2026-43566

cve-icon Vulnrichment

Updated: 2026-05-05T14:28:50.306Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T12:16:20.040

Modified: 2026-05-05T19:32:49.650

Link: CVE-2026-43566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:45:25Z

Weaknesses