CVE-2026-43535 Overview
CVE-2026-43535 is an authorization context reuse vulnerability in OpenClaw versions before 2026.4.14. The flaw exists in collect-mode queue batches, where messages from different senders inherit the final sender's authorization context. Attackers with low privileges can queue multiple messages and force earlier messages to execute under a more privileged sender's context. This results in privilege escalation and unauthorized message execution within the queue processing pipeline. The vulnerability is tracked under [CWE-266: Incorrect Privilege Assignment].
Critical Impact
Queued messages execute with elevated permissions inherited from the final sender, enabling attackers to perform actions outside their authorization scope.
Affected Products
- OpenClaw (Node.js package) versions prior to 2026.4.14
- Deployments using collect-mode queue batches
- Multi-tenant environments processing messages from multiple senders
Discovery Timeline
- 2026-05-05 - CVE CVE-2026-43535 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43535
Vulnerability Analysis
OpenClaw processes batched messages in collect-mode by aggregating multiple sender requests into a single processing unit. The queue batching logic fails to preserve per-message authorization context across the batch boundary. When the batch drains, all messages within the batch execute using the authorization context attached to the final sender rather than their original sender's context.
An attacker with low privileges can exploit this by submitting messages and ensuring a higher-privileged sender's message is queued last. Earlier messages in the batch then inherit the elevated context during execution. This breaks tenant isolation and access control assumptions in multi-sender deployments. Exploitation requires the presence of a more privileged sender within the same batch window, which raises attack complexity.
Root Cause
The root cause is improper context tracking in the collect-mode queue drain function. Authorization metadata is overwritten by each subsequent enqueue rather than bound to individual message records. When the batch executes, the loop reuses the most recent sender context for every queued message instead of resolving each message's original credentials. This is a design defect in how OpenClaw associates identity state with queued work items.
Attack Vector
Exploitation occurs over the network and requires authenticated access at a low privilege level. The attacker submits one or more messages to a queue operating in collect-mode. By timing or volume manipulation, the attacker ensures a higher-privileged sender's message lands at the end of the batch. When OpenClaw drains the queue, the attacker's earlier messages execute with the privileged sender's authorization context. Refer to the VulnCheck Advisory on OpenClaw for technical details on the queue processing pipeline.
Detection Methods for CVE-2026-43535
Indicators of Compromise
- Queued messages executing actions outside the originating sender's documented permission scope.
- Audit log entries showing identical authorization context applied to messages from distinct senders within the same batch window.
- Unexpected privileged operations originating from low-privilege accounts during collect-mode batch drains.
Detection Strategies
- Compare the sender identity recorded at message submission with the authorization context recorded at message execution. Mismatches indicate exploitation.
- Instrument the queue drain path to log per-message identity resolution and alert on context divergence.
- Review OpenClaw application logs for clusters of mixed-sender messages processed under a single privileged identity.
Monitoring Recommendations
- Monitor outbound actions performed by message handlers and correlate them against the originating sender's privilege baseline.
- Track the version of openclaw deployed across Node.js services and flag any instance below 2026.4.14.
- Enable verbose authorization logging on collect-mode queues until upgrade is complete.
How to Mitigate CVE-2026-43535
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.14 or later across all Node.js deployments.
- Audit recent collect-mode queue activity for evidence of cross-sender privilege inheritance.
- Restrict queue submission privileges to trusted senders until the patch is deployed.
Patch Information
The vendor fix is published in commit 43d4be902755c970b3d15608679761877718da69. Details are available in the OpenClaw GitHub Security Advisory GHSA-jwrq-8g5x-5fhm and the upstream commit. The patch ensures each queued message retains and executes under its originating sender's authorization context.
Workarounds
- Disable collect-mode queue batching and process messages individually until the patch is applied.
- Segregate queues by sender privilege level so batches cannot mix low- and high-privilege messages.
- Apply strict per-message authorization checks at handler entry rather than relying on inherited batch context.
# Configuration example: upgrade openclaw via npm
npm install openclaw@2026.4.14
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
