Lucene search
K

11 matches found

NVD
NVD
added 2026/04/10 5:17 p.m.10 views

CVE-2026-35653

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS0.006EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/10 4:3 p.m.4 views

EUVD-2026-21452

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/10 4:3 p.m.6 views

CVE-2026-35653

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/04/10 4:3 p.m.2 views

CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4
CVE
CVE
added 2026/04/10 4:3 p.m.12 views

CVE-2026-35653

OpenClaw prior to 2026.3.24 contains an incorrect authorization flaw in POST /reset-profile. Authenticated callers with operator.write access to browser.request can bypass profile mutation restrictions, potentially stopping the running browser, closing Playwright connections, and moving profile d...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/04/10 4:3 p.m.28 views

CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS0.006EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.9 views

PT-2026-31964

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.24 contained security vulnerabilities. These vulnerabilities stemmed from improper authorization in the POST /reset-profile endpoint, which could allow callers with the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/30 7:5 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the browser.request function on the operator.write surface. An attacker can disrupt browser operations, terminate active browser sessions, and move the local...

8.1CVSS5.9AI score0.006EPSS
Exploits1References2
OSV
OSV
added 2026/03/30 7:5 p.m.5 views

GHSA-XP9R-PRPG-373R OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface

Fixed in OpenClaw 2026.3.24, the current shipping release. Title browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q Severity Assessment High CWE: - CWE-863: Incorrect Authorization Proposed CVSS v3.1: - 8.1...

8.1CVSS5.9AI score0.006EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/30 7:5 p.m.8 views

OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface

Fixed in OpenClaw 2026.3.24, the current shipping release. Title browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q Severity Assessment High CWE: - CWE-863: Incorrect Authorization Proposed CVSS v3.1: - 8.1...

8.1CVSS5.9AI score0.006EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder