OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook...

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.

AI Analysis

Input validation vulnerability allowing external hook metadata to be enqueued as trusted system events

Basic Information

ID CVE-2026-43534

Source VulnCheck

Published May 5, 2026 at 11:25

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-345

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor OpenClaw

Product OpenClaw

Version < 2026.4.10

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.",
    "published": "2026-05-05T11:25:06.675Z",
    "modified": "2026-05-05T11:25:06.675Z",
    "type": "cve",
    "title": "OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr\nhttps://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29\nhttps://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events",
    "id": "CVE-2026-43534",
    "bulletinFamily": "",
    "cwe": [
        "CWE-345"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Input validation vulnerability allowing external hook metadata to be enqueued as trusted system events",
    "ai_severity": "Critical",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.4.10",
    "ai_score": 9.3
}

OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events_CVE-2026-43534