CVE-2026-44999 Overview
CVE-2026-44999 affects OpenClaw versions prior to 2026.4.20. The vulnerability resides in the isolated cron awareness event pipeline, where untrusted labels are not preserved when webhook-triggered cron agent output is dispatched. As a result, attacker-influenced output is recorded as a trusted System event. This trust-labeling defect [CWE-345] strengthens prompt-injection attacks by allowing untrusted webhook content to render as authoritative System events within the agent context. The flaw is network-reachable, requires no authentication, and no user interaction.
Critical Impact
Webhook-triggered cron output can be promoted to trusted System event status, amplifying prompt-injection vectors against downstream AI agent workflows.
Affected Products
- OpenClaw (Node.js package) before 2026.4.20
- Deployments using the isolated cron agent delivery dispatch
- Environments exposing webhook-triggered cron awareness events
Discovery Timeline
- 2026-05-11 - CVE-2026-44999 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44999
Vulnerability Analysis
The vulnerability is an instance of insufficient verification of data authenticity [CWE-345]. OpenClaw's cron subsystem enqueues awareness events through enqueueSystemEvent. When a webhook triggers a cron agent, the resulting output is forwarded to the delivery dispatcher without an explicit trusted: false flag. The downstream consumer therefore treats the payload as a system-originated event rather than third-party input.
In agent-driven environments, System events carry elevated authority during prompt construction. An attacker who controls the webhook payload can inject instructions that the agent interprets as authoritative directives. This converts a classic prompt-injection vector into a higher-impact path because the injected content bypasses standard untrusted-input guards.
The scope is limited to confidentiality at low impact, with no integrity or availability impact recorded. Exploitation requires that the target deployment exposes webhook-triggered cron awareness and routes its output through the unpatched dispatcher.
Root Cause
The root cause is a missing trust label on the path between the webhook-triggered cron agent output and the system event queue. The enqueueSystemEvent signature lacked a trusted parameter, so callers had no mechanism to mark webhook-derived content as untrusted. The dispatcher in src/cron/isolated-agent/delivery-dispatch.ts therefore enqueued events without provenance metadata.
Attack Vector
An unauthenticated remote attacker delivers a crafted payload to a webhook that triggers a cron agent in OpenClaw. The agent's output is enqueued as a System event without an untrusted marker. When the AI agent consumes the event stream, the injected content is interpreted as a trusted system instruction, enabling prompt-injection amplification.
// Patch: src/cron/isolated-agent/delivery-dispatch.ts
agentId: params.agentId,
}),
contextKey: params.deliveryIdempotencyKey,
+ trusted: false,
});
} catch (err) {
await logCronDeliveryWarn(
// Patch: src/cron/service/state.ts
maxMissedJobsPerRestart?: number;
enqueueSystemEvent: (
text: string,
- opts?: { agentId?: string; sessionKey?: string; contextKey?: string },
+ opts?: { agentId?: string; sessionKey?: string; contextKey?: string; trusted?: boolean },
) => void;
Source: OpenClaw commit f61896b
Detection Methods for CVE-2026-44999
Indicators of Compromise
- System event log entries originating from cron agent deliveries that lack a trusted field or carry trusted: true when sourced from webhook payloads.
- Anomalous instruction-like text appearing in cron awareness events shortly after inbound webhook activity.
- Cron agent sessions producing System events containing directives the operator did not author.
Detection Strategies
- Audit OpenClaw event streams for System events whose contextKey matches a webhook delivery idempotency key.
- Compare deployed OpenClaw versions against 2026.4.20 and flag any earlier release.
- Inspect call sites of enqueueSystemEvent for missing trusted: false propagation on webhook-driven paths.
Monitoring Recommendations
- Forward OpenClaw application logs to a centralized analytics platform and alert on System events lacking provenance metadata.
- Track outbound prompt-injection signatures and cross-reference with cron awareness event timestamps.
- Monitor webhook endpoints for high-frequency or template-like payloads consistent with injection probes.
How to Mitigate CVE-2026-44999
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which adds the trusted flag and defaults webhook-triggered cron output to untrusted.
- Inventory all OpenClaw deployments and identify any that consume webhook-triggered cron awareness events.
- Review any prompt templates or agent policies that treat System events as fully trusted and add explicit handling for the new trusted field.
Patch Information
The fix is delivered in commit f61896b03cc7031f51106a04566831f4ac2a0bd7, included in OpenClaw 2026.4.20. The patch adds a trusted option to enqueueSystemEvent and sets trusted: false for webhook-triggered cron agent deliveries. Refer to GitHub Security Advisory GHSA-57r2-h2wj-g887 and the VulnCheck advisory for full details.
Workarounds
- Disable webhook-triggered cron agents until the patch can be applied.
- Restrict webhook endpoints to authenticated, allowlisted sources using a reverse proxy or API gateway.
- Strip or sanitize inbound webhook payloads to remove instruction-like content before they reach the cron dispatcher.
# Update OpenClaw to the fixed release
npm install openclaw@>=2026.4.20
# Verify the installed version
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
