CVE-2026-35653
Received Received - Intake
Authorization Bypass in OpenClaw POST /reset-profile Allows Privilege Escalation

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35653
EUVD
EUVD-2026-21452
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35653 is an incorrect authorization vulnerability in OpenClaw versions before 2026.3.24 affecting the POST /reset-profile endpoint. Authenticated users with operator.write access to the browser.request interface can bypass intended profile mutation restrictions by invoking this endpoint.

The vulnerability occurs because the function that classifies profile mutations does not recognize POST /reset-profile as a protected mutation, allowing unauthorized destructive actions.

Exploiting this flaw lets attackers stop the running browser, close Playwright connections, and move profile directories to Trash, crossing privilege boundaries and causing integrity and availability issues with persistent browser profiles.

Impact Analysis

This vulnerability can lead to unauthorized destructive actions on persistent browser profiles, including stopping browser instances, terminating browser connections, and deleting profile data by moving it to Trash.

Such actions compromise the integrity and availability of browser profiles, potentially disrupting user sessions and causing data loss.

Because the exploit bypasses intended access controls, it represents a privilege escalation risk for authenticated users with limited write permissions.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unexpected POST requests to the /reset-profile endpoint on the browser.request interface, especially those made by authenticated users with operator.write access.

To detect exploitation attempts, you can look for POST /reset-profile requests in your logs or network traffic from users with operator.write privileges.

Suggested commands include using network monitoring or log inspection tools to filter for such requests. For example:

  • Using grep on server logs: grep 'POST /reset-profile' /path/to/openclaw/logs/access.log
  • Using tcpdump to capture HTTP POST requests to /reset-profile (assuming default ports): tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'POST /reset-profile'
  • Using curl or similar tools to test if the endpoint is accessible with operator.write credentials by attempting a POST /reset-profile request and checking if it is allowed.

Note that detection requires authenticated context with operator.write access, so monitoring authentication and authorization logs alongside network traffic is important.

Compliance Impact

CVE-2026-35653 is an incorrect authorization vulnerability that allows authenticated users with limited write privileges to perform destructive profile resets, leading to integrity and availability compromises of persistent browser profiles.

This vulnerability could impact compliance with common standards and regulations such as GDPR and HIPAA by violating principles of access control and data integrity. Unauthorized destructive actions on user profiles may lead to loss or unavailability of personal data, which can be considered a breach of data protection requirements.

Specifically, the ability to bypass intended privilege boundaries and delete or reset profile data without proper authorization undermines the security controls required to protect sensitive information, potentially resulting in non-compliance with regulations that mandate strict access controls and data integrity safeguards.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability in the POST /reset-profile endpoint has been fixed.
  • Restrict operator.write access to the browser.request interface to only trusted users until the patch is applied.
  • Review and tighten authorization policies to ensure that destructive profile mutations like POST /reset-profile are properly gated.
  • Monitor for any suspicious POST /reset-profile requests and investigate any unauthorized attempts.

The fix involves extending the persistent profile mutation classifier to include POST /reset-profile and applying consistent access controls to prevent unauthorized destructive profile resets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart