High severity8.1NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026
CVE-2026-35653
CVE-2026-35653
Description
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.24 | 2026.3.24 |
Affected products
1Patches
24dcc39c25c6chttps://github.com/openclaw/openclawvia nvd-ref
e7d11f6c33e2https://github.com/openclaw/openclawvia nvd-ref
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0nvdPatch
- github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87anvdExploitMitigationVendor Advisory
- github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373rnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-xp9r-prpg-373rghsaADVISORY
- www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-requestnvdThird Party Advisory
News mentions
0No linked articles in our index yet.