CVE-2026-35653
HIGH WAF: Low
CVSS 8.1
Published: 2026-04-10
CWE-863
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.3.24 |
References
- github.com (Patch)
- github.com (Exploit, Mitigation, Vendor Advisory)
- github.com (Exploit, Mitigation, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)