Which versions of OpenClaw are affected by CVE-2026-43534?

CVE-2026-43534 is a critical remote vulnerability in the OpenClaw npm package that allows unauthenticated attackers to bypass security boundaries and inject arbitrary malicious content with elevated…. A patch is available.

OpenClaw CVE-2026-43534

Q: What is the CVSS score of CVE-2026-43534?

CVE-2026-43534 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-27279 CRITICAL

Insufficient Verification of Data Authenticity (CWE-345)

2026-05-05 VulnCheck

Privilege Escalation

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 05, 2026 - 12:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 05, 2026 - 12:37 vuln.today

cvss_changed

CVSS changed

May 05, 2026 - 12:37 NVD

9.1 (CRITICAL) 9.3 (CRITICAL)

Source Code Evidence Fetched

May 05, 2026 - 12:19 vuln.today

Analysis Generated

May 05, 2026 - 12:19 vuln.today

DescriptionNVD

OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.

AnalysisAI

Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. …

RemediationAI

Within 24 hours: identify all internal and external systems running OpenClaw npm package versions before 2026.4.10 using dependency scanning tools (npm audit, SBOM analysis). Within 7 days: upgrade all instances to OpenClaw version 2026.4.10 or later; test upgrades in development environments first to validate application stability. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43534 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-43534

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-43534

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code