What is CVE-2026-43578?

CVE-2026-43578 is a critical-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 9.1/10. Published 2026-05-06.

How severe is CVE-2026-43578?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Openclaw

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted com…

EPSS: 0.001 (22.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Openclaw — versions 2026.3.31, 2026.4.10

Weakness classification (CWE)

CWE-184 — Incomplete List of Disallowed Inputs

References

Patch Commit (Patch, patch)
GitHub Security Advisory (GHSA-g375-h3v6-4873) (vendor-advisory, Mitigation, Vendor Advisory)
VulnCheck Advisory: OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-43578?: CVE-2026-43578 is a critical-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 9.1/10. Published 2026-05-06.
How severe is CVE-2026-43578?: Critical severity. CVSS v3 base score is 9.1 out of 10.