Incorrect authorization in OpenClaw - CVE-2026-32972

 

Incorrect authorization in OpenClaw - CVE-2026-32972

Published: April 8, 2026


Vulnerability identifier: #VU125161
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32972
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to modify browser profile configuration and persist admin-only changes to disk.

The vulnerability exists due to incorrect authorization in the gateway browser.request handling for browser profile management routes when handling requests to browser profile creation and modification endpoints. A remote user can send a crafted request to /profiles/create to modify browser profiles and persist admin-only changes to disk.

The issue exposes an admin-only configuration write primitive through the browser profile management functionality, allowing storage of attacker-chosen remote CDP endpoints without operator.admin.


How to mitigate CVE-2026-32972

Install security update from vendor's website.

Sources