19 matches found
CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...
CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...
CVE-2026-42431
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...
CVE-2026-42431
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...
CVE-2026-42431 OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...
CVE-2026-42431
OpenClaw contains a vulnerability where node.invoke(browser.proxy) bypasses the browser.request persistent profile‑mutation guard, enabling mutation of persistent browser profiles. Affected software: OpenClaw npm package, prior to 2026.4.8. Root cause: a security bypass path in node.invoke(browse...
PT-2026-35809
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...
CVE-2026-41353
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profil...
CVE-2026-41353 OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profil...
CVE-2026-41353
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profil...
CVE-2026-41353 OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profil...
CVE-2026-41353
OpenClaw vulnerable in versions before 2026.3.22 due to an access control bypass in the allowProfiles feature. The root cause is via persistent profile mutation and runtime profile selection, enabling remote attackers to manipulate browser proxy profiles at runtime to access restricted profiles a...
PT-2026-34784
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profil...
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...
CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...
CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard. Remediation...
GHSA-H5HG-H7RR-GPF3 OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
Summary Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and...
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
Summary Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and...