CVE-2026-43534
CRITICALOpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
Title source: cnaDescription
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-7g8c-cfr3-vqqr)
https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events
Scores
CVSS v3
9.1
EPSS
0.0001
EPSS Percentile
2.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-345
Status
published
Products (3)
npm/openclaw
0 - 2026.4.10npm
OpenClaw/OpenClaw
< 2026.4.10
OpenClaw/OpenClaw
2026.4.10
Published
May 05, 2026
Tracked Since
May 05, 2026