Vulnerability Details CVE-2026-43578
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.4%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2026-43578
-
cpe:2.3:a:openclaw:openclaw:2026.3.31
-
cpe:2.3:a:openclaw:openclaw:2026.4.1
-
cpe:2.3:a:openclaw:openclaw:2026.4.2
-
cpe:2.3:a:openclaw:openclaw:2026.4.4
-
cpe:2.3:a:openclaw:openclaw:2026.4.5
-
cpe:2.3:a:openclaw:openclaw:2026.4.7
-
cpe:2.3:a:openclaw:openclaw:2026.4.7-1
-
cpe:2.3:a:openclaw:openclaw:2026.4.8
-
cpe:2.3:a:openclaw:openclaw:2026.4.9