CVE-2026-35653
Authorization Bypass in OpenClaw POST /reset-profile Allows Privilege Escalation
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35653 is an incorrect authorization vulnerability in OpenClaw versions before 2026.3.24 affecting the POST /reset-profile endpoint. Authenticated users with operator.write access to the browser.request interface can bypass intended profile mutation restrictions by invoking this endpoint.
The vulnerability occurs because the function that classifies profile mutations does not recognize POST /reset-profile as a protected mutation, allowing unauthorized destructive actions.
Exploiting this flaw lets attackers stop the running browser, close Playwright connections, and move profile directories to Trash, crossing privilege boundaries and causing integrity and availability issues with persistent browser profiles.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized destructive actions on persistent browser profiles, including stopping browser instances, terminating browser connections, and deleting profile data by moving it to Trash.
Such actions compromise the integrity and availability of browser profiles, potentially disrupting user sessions and causing data loss.
Because the exploit bypasses intended access controls, it represents a privilege escalation risk for authenticated users with limited write permissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or unexpected POST requests to the /reset-profile endpoint on the browser.request interface, especially those made by authenticated users with operator.write access.
To detect exploitation attempts, you can look for POST /reset-profile requests in your logs or network traffic from users with operator.write privileges.
Suggested commands include using network monitoring or log inspection tools to filter for such requests. For example:
- Using grep on server logs: grep 'POST /reset-profile' /path/to/openclaw/logs/access.log
- Using tcpdump to capture HTTP POST requests to /reset-profile (assuming default ports): tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'POST /reset-profile'
- Using curl or similar tools to test if the endpoint is accessible with operator.write credentials by attempting a POST /reset-profile request and checking if it is allowed.
Note that detection requires authenticated context with operator.write access, so monitoring authentication and authorization logs alongside network traffic is important.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability in the POST /reset-profile endpoint has been fixed.
- Restrict operator.write access to the browser.request interface to only trusted users until the patch is applied.
- Review and tighten authorization policies to ensure that destructive profile mutations like POST /reset-profile are properly gated.
- Monitor for any suspicious POST /reset-profile requests and investigate any unauthorized attempts.
The fix involves extending the persistent profile mutation classifier to include POST /reset-profile and applying consistent access controls to prevent unauthorized destructive profile resets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35653 is an incorrect authorization vulnerability that allows authenticated users with limited write privileges to perform destructive profile resets, leading to integrity and availability compromises of persistent browser profiles.
This vulnerability could impact compliance with common standards and regulations such as GDPR and HIPAA by violating principles of access control and data integrity. Unauthorized destructive actions on user profiles may lead to loss or unavailability of personal data, which can be considered a breach of data protection requirements.
Specifically, the ability to bypass intended privilege boundaries and delete or reset profile data without proper authorization undermines the security controls required to protect sensitive information, potentially resulting in non-compliance with regulations that mandate strict access controls and data integrity safeguards.