Affected Packages / Versions
- Package:
openclaw (npm)
- Affected versions:
< 2026.4.20
- Patched version:
2026.4.20
Impact
Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without trusted: false. That made the event render as a trusted System: event instead of an untrusted system event.
This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low.
Fix
OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers.
Fix commit:
f61896b03cc7031f51106a04566831f4ac2a0bd7
Release
Fixed in OpenClaw 2026.4.20.
zsxsoft Reporter
KeenSecurityLab Sponsor
qclawer Sponsor
Affected Packages / Versions
openclaw(npm)< 2026.4.202026.4.20Impact
Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without
trusted: false. That made the event render as a trustedSystem:event instead of an untrusted system event.This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low.
Fix
OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers.
Fix commit:
f61896b03cc7031f51106a04566831f4ac2a0bd7Release
Fixed in OpenClaw
2026.4.20.