Critical Input Validation Vulnerability in OpenClaw Agent Platform Allows Trust Escalation

OpenClaw, a widely-discussed open-source AI agent platform, contains a critical input validation flaw (CVSS 9.1) that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names that bypass security checks and are processed in a higher-trust agent context, enabling privilege escalation, unauthorized operations, or command injection within the agent's execution environment. The vulnerability affects OpenClaw versions prior to 2026.4.10 and was disclosed on May 5, 2026, alongside a GitHub security advisory (GHSA-7g8c-cfr3-vqqr) and a commit fixing the issue.

The vulnerability is remotely exploitable over a network (AV:N) with low attack complexity (AC:L) and requires no authentication (PR:N) or user interaction (UI:N). An attacker crafts malicious external hook metadata—likely via API calls, webhook payloads, or inter-agent communication channels—and supplies hook names designed to be interpreted as trusted system events. Because OpenClaw fails to sanitize or validate the trust level of this input before enqueuing it, the attacker's data is elevated into a context where it can trigger internal commands, manipulate agent state, or exfiltrate data. The flaw is classified as CWE-345 (Insufficient Verification of Data Authenticity).

OpenClaw versions prior to 2026.4.10. OpenClaw is an AI agent orchestration platform that appears to have significant adoption in the agentic AI community, with references in recent development discussions and agent framework comparisons. The vulnerability impacts any deployment where external entities (users, other agents, third-party integrations) can supply hook metadata or trigger hook-based workflows.

Upgrade to OpenClaw version 2026.4.10 or later immediately. The fix is available via commit e3a845bde5b54f4f1e742d0a51ba9860f9619b29 on the OpenClaw GitHub repository. If immediate patching is not possible, apply strict input validation and sanitization to all external hook metadata before it enters the event queue, and implement allowlisting for hook names that can be processed as system events. Review logs for suspicious hook invocations or privilege escalations that may indicate exploitation.