CVE-2026-43566 Overview
CVE-2026-43566 is a privilege escalation vulnerability in OpenClaw versions 2026.4.7 through 2026.4.13. The flaw resides in the heartbeat owner downgrade logic, which fails to inspect webhook wake events that carry untrusted content. Attackers can send crafted hook:wake system events to preserve owner-like execution context when the run should have been downgraded to a lower-privileged state. The result is unauthorized retention of elevated execution privileges in OpenClaw agent runs. The vulnerability is classified under CWE-184: Incomplete List of Disallowed Inputs.
Critical Impact
Remote attackers without authentication can escalate privileges by injecting untrusted webhook wake events, bypassing the owner downgrade logic that protects high-confidentiality and high-integrity contexts.
Affected Products
- OpenClaw 2026.4.7 through 2026.4.13 (Node.js distribution)
- Patched in OpenClaw 2026.4.14
- Deployments processing webhook hook:wake system events
Discovery Timeline
- 2026-05-05 - CVE-2026-43566 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43566
Vulnerability Analysis
OpenClaw uses a heartbeat runner that periodically evaluates whether an agent run should retain owner-level execution context or be downgraded. The downgrade decision depends on inspecting pending events to detect untrusted content markers, including the System (untrusted): line prefix. Before the patch, wake-triggered runs were excluded from the pending event inspection path. Only exec and cron event reasons triggered the inspection.
Attackers can deliver a hook:wake event containing untrusted webhook content. The heartbeat logic skips inspection of those queued events and fails to flag the untrusted marker. Consequently, the run proceeds with owner-equivalent privileges, executing logic that should have been confined to a downgraded, lower-trust context.
Root Cause
The root cause is an incomplete allowlist of event reasons that mandate pending event inspection. The original shouldInspectPendingEvents predicate evaluated only isExecEventReason, isCronEventReason, and tagged cron events. Wake reasons were absent, allowing untrusted webhook payloads to bypass the downgrade gate.
Attack Vector
A remote unauthenticated attacker sends a webhook payload that triggers a hook:wake system event in the target OpenClaw deployment. The payload contains content that would normally be marked with the System (untrusted): prefix. Because wake reasons skipped pending event inspection, the heartbeat runner does not downgrade the owner context and the untrusted content executes with elevated privileges.
// Patch in src/auto-reply/reply/get-reply-run.ts
// Adds regex to identify untrusted system event lines
let sessionStoreRuntimePromise: Promise<
typeof import("../../config/sessions/store.runtime.js")
> | null = null;
+const UNTRUSTED_SYSTEM_EVENT_LINE_RE = /^System \(untrusted\):/m;
function loadPiEmbeddedRuntime() {
piEmbeddedRuntimePromise ??= import("../../agents/pi-embedded.runtime.js");
// Patch in src/infra/heartbeat-runner.ts
// Wake reasons now trigger pending event inspection when scoped to the same session
const hasTaggedCronEvents = pendingEventEntries.some((event) =>
event.contextKey?.startsWith("cron:"),
);
+ const shouldInspectWakePendingEvents = (() => {
+ if (!reasonFlags.isWakeReason) {
+ return false;
+ }
+ if (params.heartbeat?.isolatedSession !== true) {
+ return true;
+ }
+ const configuredSession = resolveHeartbeatSession(params.cfg, params.agentId, params.heartbeat);
+ const { isolatedSessionKey } = resolveIsolatedHeartbeatSessionKey({
+ sessionKey: session.sessionKey,
+ configuredSessionKey: configuredSession.sessionKey,
+ sessionEntry: session.entry,
+ });
+ return isolatedSessionKey === session.sessionKey;
+ })();
const shouldInspectPendingEvents =
- reasonFlags.isExecEventReason || reasonFlags.isCronEventReason || hasTaggedCronEvents;
+ reasonFlags.isExecEventReason ||
+ reasonFlags.isCronEventReason ||
+ shouldInspectWakePendingEvents ||
+ hasTaggedCronEvents;
Source: OpenClaw Security Patch Commit 31281bc
Detection Methods for CVE-2026-43566
Indicators of Compromise
- Inbound webhook requests producing hook:wake system events from unverified origins.
- Heartbeat run logs showing wake-reason executions that retained owner context despite untrusted content markers.
- Agent logs containing System (untrusted): lines associated with privileged actions.
- OpenClaw deployments still running versions 2026.4.7 through 2026.4.13.
Detection Strategies
- Audit OpenClaw logs for wake-reason heartbeat runs that processed untrusted webhook content prior to upgrading to 2026.4.14.
- Correlate webhook ingress traffic with heartbeat owner-context executions to identify suspicious wake-triggered runs.
- Inventory installed openclaw:openclaw packages across Node.js environments and flag any version below 2026.4.14.
Monitoring Recommendations
- Forward OpenClaw application logs and webhook gateway logs to a centralized SIEM for correlation.
- Alert on repeated wake-reason runs originating from the same external webhook source within short time windows.
- Track outbound network activity from agent runs that processed hook:wake events to detect post-exploitation behavior.
How to Mitigate CVE-2026-43566
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.14 or later in all production and staging environments.
- Restrict webhook endpoints to authenticated, allowlisted sources until the upgrade is complete.
- Review heartbeat run history for prior wake-reason executions that may have processed untrusted content.
Patch Information
OpenClaw addressed CVE-2026-43566 in commit 31281bc92f55796817a92bc43f722cba1e77ab42, which forces owner downgrade for untrusted hook:wake system events by including wake reasons in the pending event inspection logic. Refer to the OpenClaw GitHub Security Advisory GHSA-g2hm-779g-vm32 and the VulnCheck Privilege Escalation Advisory for technical details.
Workarounds
- Disable webhook wake event ingestion until OpenClaw is upgraded to 2026.4.14.
- Place a reverse proxy in front of OpenClaw that rejects webhook payloads from untrusted senders.
- Enforce network-level access controls limiting which hosts can deliver hook:wake events to OpenClaw agents.
# Upgrade OpenClaw to the patched version using npm
npm install openclaw@2026.4.14
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
