{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openclaw-versions-2026.4.7-before-2026.4.14/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-43566"}],"_cs_exploited":false,"_cs_products":["OpenClaw","OpenClaw versions 2026.4.7 before 2026.4.14"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","webhook","cve-2026-43566"],"_cs_type":"threat","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions 2026.4.7 through 2026.4.13 are vulnerable to a privilege escalation flaw, identified as CVE-2026-43566. This vulnerability stems from a failure in the heartbeat owner downgrade logic, which incorrectly skips webhook wake events that contain untrusted content. By exploiting this flaw, a malicious actor can craft and send untrusted webhook wake events, effectively maintaining an elevated, owner-like execution context even when the system should have downgraded privileges. This could allow unauthorized access and control within the OpenClaw environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable OpenClaw instance running versions 2026.4.7 - 2026.4.13.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious webhook wake event containing untrusted content.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious webhook wake event to the targeted OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw instance receives the webhook wake event.\u003c/li\u003e\n\u003cli\u003eDue to the flawed heartbeat owner downgrade logic, the event is processed without proper privilege downgrading.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process or script continues to execute with the privileges of the owner, rather than a more restricted user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data or execute unauthorized commands.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access or further escalates privileges within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43566 allows attackers to bypass intended security controls and gain unauthorized access to sensitive resources within the OpenClaw environment. This privilege escalation could lead to data breaches, system compromise, and other malicious activities. The number of affected installations is currently unknown, but any OpenClaw instance running a vulnerable version is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.14 or later to patch CVE-2026-43566.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all webhook wake events to prevent the injection of untrusted content.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for suspicious webhook activity and unexpected privilege escalations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Webhook Activity\u0026rdquo; to identify potentially malicious webhook events.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter malicious requests, potentially blocking crafted webhook events before they reach the OpenClaw instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T12:16:20Z","date_published":"2026-05-05T12:16:20Z","id":"/briefs/2026-05-openclaw-privesc/","summary":"OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability (CVE-2026-43566) where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content, allowing attackers to preserve owner-like execution context.","title":"OpenClaw Privilege Escalation via Untrusted Webhook Wake Events (CVE-2026-43566)","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenClaw Versions 2026.4.7 Before 2026.4.14","version":"https://jsonfeed.org/version/1.1"}