12 matches found
CVE-2026-43578
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...
CVE-2026-43578
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...
CVE-2026-43578
OpenClaw 2026.3.31 before 2026.4.10 is affected by a privilege-escalation vulnerability in which heartbeat owner downgrade detection misses local background async exec completion events. Attackers can provide untrusted completion content to leave a run in a more privileged context than intended. ...
CVE-2026-43578
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...
CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...
CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...
CVE-2026-43566
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
CVE-2026-43566 OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...
CVE-2026-43566
OpenClaw is affected in versions 2026.4.7 through 2026.4.13 by a privilege escalation vulnerability caused by heartbeat owner downgrade logic that skips webhook wake events carrying untrusted content. An attacker can exploit this by sending untrusted webhook wake events to preserve an owner‑like ...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. The version of OpenClaw from 2026.4.7 to 2026.4.14 contains security vulnerabilities. These vulnerabilities stem from a logic that downgrades the heartbeat owner, causing it to skip Webhook wake-up events carrying...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to missed detection of local async exec completion events during heartbeat owner downgrade. An attacker can maintain a process in a mor...
GHSA-G375-H3V6-4873 OpenClaw: Heartbeat owner downgrade missed local async exec completion events
Summary Heartbeat owner downgrade missed local async exec completion events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.3.31 = 2026.4.10 Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving ...