Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.11.
DescriptionCVE.org
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without holding operator.admin privileges.
AnalysisAI
Privilege escalation in OpenClaw versions prior to 2026.3.11 allows authenticated users with operator.write permissions to execute administrative browser profile management functions, bypassing role-based access controls. Attackers can persist malicious remote Chrome DevTools Protocol (CDP) endpoints to disk, enabling potential remote code execution or session hijacking without operator.admin privileges. EPSS data not available; no public exploit identified at time of analysis. CVSS 7.1 (High) reflects network-accessible attack requiring only low-privileged authentication.
Technical ContextAI
This authorization bypass (CWE-863) stems from improper permission validation in OpenClaw's browser automation framework. The application implements role-based access control with distinct operator.write and operator.admin privilege levels, but fails to enforce authorization checks on administrative routes accessible through the browser.request API surface. Browser profile management includes configuration of remote CDP endpoints-WebSocket URLs used by browser automation tools to control Chromium-based browsers. By persisting attacker-controlled CDP endpoints to OpenClaw's configuration storage, lower-privileged operators can redirect browser sessions to malicious debugging servers, potentially enabling command injection, session interception, or lateral movement within automated testing/scraping infrastructure. The affected component (cpe:2.3:a:openclaw:openclaw) is a browser automation platform where profile management should be restricted to administrative roles.
RemediationAI
Upgrade to OpenClaw version 2026.3.11 or later, which contains authorization enforcement fixes for browser profile management routes per vendor advisory GHSA-vmhq-cqm9-6p7q. Organizations unable to immediately upgrade should implement compensating controls including strict audit logging of all browser.request API calls, network segmentation to isolate OpenClaw instances from sensitive browser automation targets, and review of existing browser profiles for unauthorized CDP endpoint configurations. Examine application logs for suspicious profile creation or modification activity by accounts holding only operator.write permissions during the window of vulnerability. Revoke and rotate credentials for operator-level accounts if unauthorized profile changes are detected. The vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q and VulnCheck analysis at https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-browser-profile-management-via-browser-request provide additional remediation guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17009