CVE-2026-42433
Authorization Bypass in OpenClaw Message-Tool Paths
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-42433 is an authorization bypass vulnerability in OpenClaw versions before 2026.4.10. It allows non-owner users to access and modify Matrix profile persistence settings through operator.write message-tool paths without requiring admin-level authority.
The vulnerability arises from insufficient access controls that permit non-owner message-tool runs to mutate persistent profile configurations, which should only be modifiable by owners or users with admin privileges.
The issue was fixed by hiding the set-profile action from non-owner runs and enforcing proper authorization checks that throw errors when unauthorized users attempt profile updates.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users with limited privileges to modify persistent profile configurations in OpenClaw, potentially leading to unauthorized changes in system behavior or security settings.
Such unauthorized modifications could compromise the integrity of user profiles and system configurations, increasing the risk of further exploitation or misuse of the system.
Because the vulnerability requires only limited privileges (non-owner message-tool runs), it broadens the attack surface and can be exploited without full administrative access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.10 or later, as the issue has been fixed starting from that version.
The fix includes proper authorization checks that prevent non-owner or non-admin users from modifying Matrix profile persistence through operator.write message tools.
Ensuring that only admin-level users have access to profile update actions will help prevent exploitation of this authorization bypass.