Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-43534 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-43534 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-43534 is an input validation vulnerability in Openclaw (versions prior to 2026.4.10) that allows externally supplied hook metadata to be processed as trusted system events, exposing the application to privilege escalation attacks.

Technical Detail

The flaw exists in Openclaw's hook processing subsystem, which fails to properly validate or sanitize the origin and content of hook metadata before enqueuing it as a trusted system event. An attacker can supply crafted malicious hook names that the system accepts and processes with elevated trust, enabling privilege escalation beyond the attacker's initial access level. The CVSS score of 9.1 reflects the high impact to confidentiality and integrity, and the attack likely requires no authentication or only low-privilege access to trigger depending on how the hook interface is exposed.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. There is no confirmed public proof-of-concept or evidence of active exploitation in the wild as of May 12, 2026. However, the critical severity rating and straightforward nature of the input validation flaw lower the barrier for independent exploit development.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns, targeted sectors, or adversary groups have been associated with this vulnerability in available intelligence sources.

What To Do

Organizations running Openclaw should prioritize upgrading to version 2026.4.10 or later, which is the vendor-confirmed patched release. Given the critical CVSS score and the privilege escalation potential, patching should be treated as high priority even in the absence of confirmed active exploitation. Where immediate patching is not feasible, administrators should restrict access to any externally facing interfaces that accept hook metadata, enforce strict allowlisting of hook names at the application or network layer, and audit logs for anomalous hook invocation patterns. Monitor vendor advisories for any updates to exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →