CVE-2026-42431
Received Received - Intake
Security Bypass in OpenClaw node.invoke Enables Persistent Profile Mutation

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42431
EUVD
EUVD-2026-26133
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-42431 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42431 is a high-severity security bypass vulnerability in OpenClaw versions before 2026.4.8. It affects the function node.invoke(browser.proxy), which allows attackers to mutate persistent browser profiles by bypassing the browser.request persistent profile-mutation guard.

This means that attackers can circumvent the intended authorization checks and modify browser configurations without proper permission.

The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that while authorization checks exist, they are not correctly enforced in this case.

Impact Analysis

This vulnerability allows attackers with low privileges and no user interaction to perform unauthorized, high-impact changes to persistent browser profiles.

Such unauthorized modifications can compromise browser configurations, potentially leading to security risks such as altered browser behavior, exposure of sensitive data, or enabling further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should update OpenClaw to version 2026.4.8 or later, where the security bypass issue in node.invoke(browser.proxy) has been fixed.

This update addresses the incorrect authorization flaw that allowed unauthorized mutation of persistent browser profiles.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart