OpenClaw Incorrect Authorization Vulnerability in POST /reset-profile Endpoint
Vulnerability
A vulnerability allowing incorrect authorization has been identified in OpenClaw versions prior to 2026.3.24. This issue resides in the POST /reset-profile endpoint, where authenticated users with operator.write access can bypass restrictions on profile mutations. The vulnerability can be exploited by sending a POST request to /reset-profile via the browser.request method, which can disrupt the active browser session, close connections managed by Playwright, and relocate the profile's data directory to the Trash, thereby violating established privilege boundaries.
Impact
Exploitation of this vulnerability allows for unauthorized modifications to user profiles, including resetting profiles, stopping active browser sessions, closing Playwright connections, and deleting profile data by moving it to the Trash.
Reproduction
To reproduce this vulnerability, authenticate as a user with operator.write access to the browser.request method. Once authenticated, send a POST request to the /reset-profile endpoint, including the name of the profile to be reset. The request will bypass the intended authorization checks and execute the profile reset, disrupting the browser session and deleting profile data.
Remediation
Users can update to OpenClaw version 2026.3.24 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.