CVE-2026-44999

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.

345

Insufficient Verification of Data Authenticity

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Varies By Context Unexpected State

Applicable Platforms

Technologies: ICS/OT

View CWE Details

https://github.com/openclaw/openclaw/commit/f61896b03cc7031…

https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887

https://www.vulncheck.com/advisories/openclaw-improper-trus…

https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolat…

CVE-2026-44999

Description

Insufficient Verification of Data Authenticity

Common Consequences

Applicable Platforms

Iscriviti alla newsletter