Which versions of OpenClaw are affected by CVE-2026-43566?

OpenClaw npm package versions 2026.4.7-2026.4.13 contain a critical privilege escalation vulnerability allowing unauthenticated remote attackers to maintain elevated execution privileges during…. A patch is available.

How to fix or mitigate CVE-2026-43566?

Within 24 hours: Inventory all OpenClaw npm package deployments across development, CI/CD, and production environments and identify affected versions (2026.4.7-2026.4.13). Within 7 days: Upgrade all instances to OpenClaw version 2026.4.14 or later across all environments. Within 30 days: Conduct post-patch validation testing of affected workflows, review webhook event logs for anomalous activity during the vulnerability window, and implement network segmentation controls limiting webhook acceptance sources.

OpenClaw CVE-2026-43566

Q: What is the CVSS score of CVE-2026-43566?

CVE-2026-43566 has a CVSS 4.0 base score of 9.1 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-27283 CRITICAL

Incomplete List of Disallowed Inputs (CWE-184)

2026-05-05 VulnCheck

Privilege Escalation

9.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 05, 2026 - 12:20 vuln.today

Analysis Generated

May 05, 2026 - 12:20 vuln.today

DescriptionNVD

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.

AnalysisAI

Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. …

RemediationAI

Within 24 hours: Inventory all OpenClaw npm package deployments across development, CI/CD, and production environments and identify affected versions (2026.4.7-2026.4.13). Within 7 days: Upgrade all instances to OpenClaw version 2026.4.14 or later across all environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43566 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-43566

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-43566

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code