OpenClaw Privilege Escalation Vulnerability in Heartbeat Owner Downgrade Detection
Vulnerability
A privilege escalation vulnerability has been identified in OpenClaw versions 2026.3.31 prior to 2026.4.10. The issue arises because the heartbeat owner downgrade detection fails to recognize the completion of local background asynchronous execution events. This oversight allows attackers to exploit the vulnerability by injecting untrusted completion content, potentially elevating privileges beyond intended limits.
Impact
Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to execute actions or access resources with elevated rights.
Reproduction
The vulnerability can be reproduced by initiating a local background asynchronous execution event and then providing untrusted completion content. The heartbeat owner downgrade detection will miss this completion, leaving the execution in a more privileged context than intended.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.10 or later. The latest npm release, 2026.4.14, includes the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.