OpenClaw Privilege Escalation Vulnerability in Webhook Wake Event Processing
Vulnerability
A privilege escalation vulnerability has been identified in OpenClaw versions 2026.4.7 prior to 2026.4.14. The issue arises because the application's heartbeat owner downgrade logic fails to properly handle untrusted content in webhook wake events. This oversight allows attackers to send untrusted events that maintain an owner-like execution context, bypassing necessary downgrades.
Impact
Exploitation of this vulnerability can lead to unauthorized privilege escalation by allowing a user to retain owner-like rights when they should not.
Reproduction
The vulnerability can be reproduced by sending a webhook wake event that includes untrusted content, such as a specific marker indicating the content's untrustworthiness. This can be done through the application's webhook integration, targeting a session that is active and has not been isolated.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.14 or later, as this version includes the necessary fix. The latest npm release, 2026.4.14, already contains the patch.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.