OpenClaw (npm), Persistent Profile Mutation Bypass via nodeinvoke(browserproxy), No CVE (critical)

Listen to this Post

The vulnerability resides in OpenClaw, a user‑controlled local assistant. A specific invocation path – `node.invoke(browser.proxy)` – can mutate persistent browser profiles without passing through the `browser.request` guard. Normally, `browser.request` enforces profile‑mutation policies and access controls. However, `node.invoke(browser.proxy)` is designed to interact with the browser proxy but inadvertently bypasses this guard. This means an attacker who can execute arbitrary `node.invoke` calls (within the trusted local assistant model) can directly modify persistent profile data. The guard logic that validates and restricts writes to browser profiles is completely skipped. Persistent profiles include saved cookies, local storage, session data, and authentication tokens. By mutating these profiles, an attacker can hijack authenticated sessions, inject malicious scripts into trusted contexts, or alter browser settings permanently. The attack does not require crossing a multi‑tenant boundary – OpenClaw’s trust model assumes the assistant is user‑controlled, so any malicious or compromised extension or workflow that reaches `node.invoke` can trigger the bypass. The vulnerable code path exists in all npm versions of `openclaw` up to and including v2026.04.01. The fix was applied in commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5` and released as version 2026.4.8. The patch adds a security boundary check inside `node.invoke(browser.proxy)` that enforces the same profile‑mutation guard used by browser.request. Regression tests confirmed that the bypass is no longer possible. The issue was reported by @nicky‑cc of Tencent Zhuque Lab.

dailycve form:

Platform: OpenClaw npm
Version: <= v2026.04.01
Vulnerability: Profile mutation bypass
Severity: Critical
date: 2026-04-09

Prediction: 2026.4.8

What Undercode Say:

Check installed openclaw version
npm list openclaw
Simulate vulnerable call (conceptual – do not run on production)
node.invoke('browser.proxy', { mutate: '/profile/path', data: maliciousPayload })
Verify patch presence by inspecting commit hash
npm view [email protected] dist.integrity
Regression test command (from maintainer)
git checkout d7c3210cd6f5fdfdc1beff4c9541673e814354d5 && npm test -- --grep "browser.request guard"

Exploit:

Craft a workflow that calls node.invoke(browser.proxy, { operation: "write", path: "profile.sqlite", value: maliciousBlob }). The call directly writes to the persistent browser profile storage without triggering `browser.request` validations. This overwrites authentication cookies or adds a persistent XSS payload.

Protection from this CVE

Update to OpenClaw version 2026.4.8 or later. If unable to upgrade, deny or monitor any `node.invoke(browser.proxy)` calls at the orchestration layer. Apply egress filtering on profile directories. Review all installed extensions/workflows that have `node.invoke` privileges.

Impact:

Full compromise of persistent browser profiles: session hijacking, credential theft, persistent script injection, and unauthorized configuration changes. Because the guard is bypassed, no audit logs or policy checks are recorded. The attacker gains persistent access across browser restarts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top