Incorrect authorization in OpenClaw - CVE-2026-35653
Published: May 1, 2026
Vulnerability identifier: #VU128736
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35653
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to reset persistent browser profiles and cause integrity and availability impacts.
The vulnerability exists due to incorrect authorization in the browser.request gateway method and persistent profile reset route when sending a crafted POST request to /reset-profile through the operator.write surface. A remote user can invoke the reachable reset route to reset persistent browser profiles and cause integrity and availability impacts.
The issue affects callers limited to the scoped Gateway method browser.request on the operator.write surface, and the target local browser profile must exist.
How to mitigate CVE-2026-35653
Install security update from vendor's website.