Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
AnalysisAI
Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.
Technical ContextAI
OpenClaw is an npm package implementing agent-based automation with an event-driven hook system. The vulnerability affects the gateway's hook dispatch mechanism (src/gateway/server/hooks.ts) which processes external webhook events and enqueues them as system events for agent execution. CWE-345 (Insufficient Verification of Data Authenticity) applies: the system failed to validate the trust level of incoming hook metadata before passing it to the agent runtime. The affected code path (hooks.agent-trust.test.ts confirms) allowed externally-controlled hook names to be directly inserted into system event messages without sanitization or trust demotion. The patch introduces two controls: (1) sanitizeInboundSystemTags() to strip malicious content from hook names, and (2) explicit trusted:false marking on all agent hook system events. This follows a common pattern in multi-tenant systems where external input must be explicitly downgraded to prevent privilege escalation across trust boundaries.
RemediationAI
Upgrade to OpenClaw 2026.4.10 or later (latest release 2026.4.14 confirmed to include fix per vendor advisory GHSA-7g8c-cfr3-vqqr). Patch implemented in commit e3a845bde5b54f4f1e742d0a51ba9860f9619b29 and pull request #64372 (https://github.com/openclaw/openclaw/pull/64372). For npm installations, run 'npm update openclaw' to pull fixed version. If immediate upgrade is not feasible, compensating controls include: (1) Disable external hook endpoints entirely if not required for operations - eliminates attack surface but breaks webhook-dependent workflows. (2) Implement network-level filtering to restrict hook endpoint access to trusted IP ranges only - reduces exposure but requires accurate allowlisting and may break legitimate third-party integrations. (3) Deploy OpenClaw behind a reverse proxy with payload validation rules that reject hook names containing 'System:' prefixes or other reserved keywords - adds defense layer but may cause false positives and requires ongoing rule maintenance. All workarounds reduce functionality or operational flexibility; vendor patch is strongly preferred solution.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27279