OpenClaw Improper Trust Labeling Vulnerability in Webhook-Triggered Cron Events

A trust-labeling vulnerability has been identified in OpenClaw versions prior to 2026.4.20. The issue arises because the application fails to properly maintain untrusted labels for isolated cron awareness events. As a result, output from webhook-triggered cron agents can be incorrectly recorded as trusted system events. This vulnerability allows attackers to enhance the impact of prompt-injection attacks by misrepresenting untrusted events as reliable system events.

Impact

Exploitation of this vulnerability can lead to a misrepresentation of event trustworthiness, allowing untrusted cron events to be perceived as trusted system events. This distortion can amplify the effects of prompt-injection attacks, although it does not directly interfere with gateway authentication, tool policies, or sandboxing.

Reproduction

To reproduce this vulnerability, trigger a webhook that activates an isolated cron awareness event. The event will be recorded as a trusted system event, despite its untrusted origin. This can be verified by checking the event's trust label in the main session awareness stream, where it should appear as a trusted event.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been fixed.