CVE-2026-43534
CVE-2026-43534
9.3
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
References
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqrdisclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events