This is a critical privilege escalation vulnerability in OpenClaw. The heartbeat owner downgrade logic incorrectly skips validation of webhook wake events carrying untrusted content. Attackers can exploit this flaw to retain privileged owner-like execution context that should have been revoked after downgrade.
Remediation
Update OpenClaw to version 2026.4.14 or later immediately. Restrict unauthenticated access to webhook endpoints as a temporary mitigation before applying the patch.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.