CVE-2026-43535

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.14

Description An authorization context reuse issue exists in collect-mode queue batches. This allows messages from different senders to inherit the authorization context of the final sender. An attacker can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, resulting in earlier messages executing with elevated permissions.

Recommendations Update to version 2026.4.14 or newer.

Fix

Incorrect Privilege Assignment

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266CWE-863

Related Identifiers

CVE-2026-43535

GHSA-JWRQ-8G5X-5FHM

Affected Products

Openclaw

CVE-2026-43535

Weakness Enumeration

Related Identifiers

Affected Products

References · 8