CRITICALCVE-2026-43534Published 2026-05-05Modified 2026-05-06CNA VulnCheck

CVE-2026-43534: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events

OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 2026.4.10
Affected Products: 1

Fix available

2026.4.10

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.4.10 (from 0)
Fixed in 2026.4.10

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-7g8c-cfr3-vqqr)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events

Metrics

Fix available