CVE-2026-41353
HIGHOpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
Title source: cnaDescription
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-h5hg-h7rr-gpf3)
https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection
https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection
Scores
CVSS v3
8.1
EPSS
0.0034
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-472
Status
published
Products (3)
OpenClaw/OpenClaw
< 2026.3.22
openclaw/openclaw
< 2026.3.22
OpenClaw/OpenClaw
2026.3.22
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026