Description
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.
Published: 2026-05-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions prior to 2026.4.20 fail to preserve untrusted labels for isolated cron awareness events, causing webhook‑triggered cron agent output to be recorded as trusted system events. This flaw allows attackers to elevate the trust level of malicious data, facilitating stronger prompt‑injection attacks that treat untrusted events as legitimate system events. The weakness is rooted in improper neutralization of trust boundaries (CWE‑345).

Affected Systems

The vulnerability affects all OpenClaw products under the vendor name OpenClaw, specifically versions before 2026.4.20. Users running 2026.4.19 or older are at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is not available, suggesting no current data on exploitation probability, and the issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw by sending malicious webhook payloads that trigger isolated cron events; these events are then marked as trusted, enabling the attacker to inject commands or prompts that the system would otherwise reject. The attack vector is likely remote through webhooks, making the flaw exploitable over the network if the webhook interface is reachable.

Generated by OpenCVE AI on May 11, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.20 or later
  • Limit webhook ingress to trusted sources and validate event labels before processing
  • Implement monitoring for anomalous cron events and prompt‑injection attempts to detect exploitation

Generated by OpenCVE AI on May 11, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.
Title OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-345
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T13:53:06.530Z

Reserved: 2026-05-08T16:41:39.934Z

Link: CVE-2026-44999

cve-icon Vulnrichment

Updated: 2026-05-12T13:52:59.230Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:39.950

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-44999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:15:08Z

Weaknesses