Vulnerability Details CVE-2026-35653
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.4%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0
- https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r
- https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request