Executive Summary

CVE-2026-42433 is an authorization bypass vulnerability in OpenClaw versions before 2026.4.10. It allows non-owner users to access and modify Matrix profile persistence settings through operator.write message-tool paths without requiring admin-level authority.

The vulnerability arises from insufficient access controls that permit non-owner message-tool runs to mutate persistent profile configurations, which should only be modifiable by owners or users with admin privileges.

The issue was fixed by hiding the set-profile action from non-owner runs and enforcing proper authorization checks that throw errors when unauthorized users attempt profile updates.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users with limited privileges to modify persistent profile configurations in OpenClaw, potentially leading to unauthorized changes in system behavior or security settings.

Such unauthorized modifications could compromise the integrity of user profiles and system configurations, increasing the risk of further exploitation or misuse of the system.

Because the vulnerability requires only limited privileges (non-owner message-tool runs), it broadens the attack surface and can be exploited without full administrative access.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.10 or later, as the issue has been fixed starting from that version.

The fix includes proper authorization checks that prevent non-owner or non-admin users from modifying Matrix profile persistence through operator.write message tools.

Ensuring that only admin-level users have access to profile update actions will help prevent exploitation of this authorization bypass.

Useful 0 Not Useful 0