← Retour aux CVEs

CVE-2026-35653

HIGH

8.1

Description

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.

Details CVE

Score CVSS v3.18.1

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie4/10/2026

Derniere modification4/13/2026

Sourcenvd

Observations honeypot0

Produits affectes

openclaw:openclaw

Faiblesses (CWE)

CWE-863

References

https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request(disclosure@vulncheck.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.