CVE-2026-43534 Overview
CVE-2026-43534 is an input validation vulnerability in OpenClaw versions before 2026.4.10. The flaw allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into a higher-trust agent context.
The issue is tracked under [CWE-345] (Insufficient Verification of Data Authenticity). It is exploitable over the network without authentication or user interaction. The vulnerability affects the Node.js distribution of OpenClaw and was patched in commit e3a845b.
Critical Impact
Remote attackers can inject untrusted hook metadata into the agent's trusted event pipeline, compromising confidentiality and integrity of agent operations without authentication.
Affected Products
- OpenClaw (Node.js) versions prior to 2026.4.10
- Component: openclaw:openclaw agent hook gateway
- Distribution channel: npm / Node.js runtime
Discovery Timeline
- 2026-05-05 - CVE-2026-43534 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43534
Vulnerability Analysis
OpenClaw routes hook events through a gateway server that classifies inbound messages as either external user input or trusted system events. The vulnerable code path in src/gateway/server/hooks.ts accepted hook metadata from external callers and forwarded it directly into the agent's trusted event queue. This allowed attacker-controlled hookName values to be processed with the same privilege as system-originated events.
Because agent hook events drive automated reply logic and tool invocation, promoting external input into the trusted context bypasses the boundary that separates user prompts from system instructions. The classification is [CWE-345], reflecting missing authenticity verification on inbound metadata.
Root Cause
The gateway did not sanitize inbound system tags before enqueuing hook events. The patch introduces sanitizeInboundSystemTags from the inbound-text module to strip or normalize trust markers on data crossing the external boundary. Without this normalization, any caller able to reach the hook endpoint could assert system-level event semantics.
Attack Vector
An unauthenticated remote attacker sends crafted hook events containing forged metadata to the OpenClaw gateway. The gateway accepts the payload and dispatches it as a trusted agent event. The attacker's input is then interpreted by downstream components as authoritative instructions, enabling escalation of agent context and manipulation of reply flow.
// Patch: src/gateway/server/hooks.ts
import { randomUUID } from "node:crypto";
+import { sanitizeInboundSystemTags } from "../../auto-reply/reply/inbound-text.js";
import type { CliDeps } from "../../cli/deps.js";
import { loadConfig, type OpenClawConfig } from "../../config/config.js";
import { resolveMainSessionKeyFromConfig } from "../../config/sessions.js";
Source: GitHub commit e3a845b
The patch imports sanitizeInboundSystemTags so inbound hook payloads are normalized before any trust decision. This severs the path from external metadata to system-level event classification.
Detection Methods for CVE-2026-43534
Indicators of Compromise
- Unexpected hook event names in OpenClaw gateway logs that contain system-reserved tag patterns or control sequences.
- Agent reply traces showing system-tagged events originating from external network sources.
- OpenClaw process versions reported below 2026.4.10 in deployed Node.js services.
Detection Strategies
- Inspect gateway access logs for inbound POST requests to hook endpoints carrying hookName fields with embedded system markers.
- Compare installed OpenClaw package versions against 2026.4.10 across CI/CD inventories and runtime hosts.
- Correlate agent action logs with the originating event source to identify trusted events that lack a corresponding internal trigger.
Monitoring Recommendations
- Enable verbose logging on the OpenClaw gateway and forward events to a centralized SIEM for retention and correlation.
- Alert on any agent hook event whose metadata fails the post-patch sanitizeInboundSystemTags checks.
- Track outbound agent actions following hook events from untrusted networks to detect downstream abuse.
How to Mitigate CVE-2026-43534
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later on all Node.js deployments.
- Audit existing agent sessions and hook event histories for evidence of unauthorized system-tagged events.
- Restrict network exposure of the OpenClaw gateway to trusted clients until the upgrade is complete.
Patch Information
The fix is applied in commit e3a845bde5b54f4f1e742d0a51ba9860f9619b29 and described in GHSA-7g8c-cfr3-vqqr. Additional technical context is published in the VulnCheck advisory. The patch normalizes inbound system tags via sanitizeInboundSystemTags before hook events are enqueued.
Workarounds
- Place the OpenClaw gateway behind an authenticated reverse proxy that strips or rejects hook metadata containing system-reserved markers.
- Disable external hook ingestion in OpenClaw configuration where the feature is not required.
- Apply network-level allowlists so only trusted agents can submit hook events to the gateway.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.10
# Verify the installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
