CVE-2026-41353

HIGH

OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection

Title source: cna

Description

OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3

[Patch] https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 12.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-472

Status published

Products (2)

OpenClaw/OpenClaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 23, 2026

Tracked Since Apr 24, 2026