Primary

Context

OpenClaw Security Bypass Vulnerability Allowing Persistent Profile Mutation

Vulnerability

A security bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.8. The issue arises in the `node.invoke(browser.proxy)` function, which can be exploited to mutate persistent browser profiles. This vulnerability allows attackers to circumvent the `browser.request` guard that protects against unauthorized profile modifications, enabling them to alter browser configurations instead.

Impact

Exploitation of this vulnerability allows for unauthorized modifications of persistent browser profiles, bypassing existing safeguards and potentially leading to malicious configuration changes.

Reproduction

The vulnerability can be reproduced by invoking the `node.invoke(browser.proxy)` function in an OpenClaw environment. This action will bypass the `browser.request` guard and allow for unauthorized changes to be made to the persistent browser profile.

Remediation

Users can update to OpenClaw version 2026.4.8 or later to address this vulnerability.

Added: Apr 28, 2026, 8:12 PM

Updated: Apr 28, 2026, 8:12 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.3

remediation

0.0

relevance

6.9

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.3

remediation

0.0

relevance

6.9

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Security Bypass Vulnerability Allowing Persistent Profile Mutation

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating