OpenClaw versions 2026.3.31 before 2026.4.10 contain a...
Critical severity
Unreviewed
Published
May 6, 2026
to the GitHub Advisory Database
•
Updated May 6, 2026
Description
Published by the National Vulnerability Database
May 6, 2026
Published to the GitHub Advisory Database
May 6, 2026
Last updated
May 6, 2026
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
References