CVE-2026-35653 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 10, 2026
OpenClaw - Broken Access Control
Published: April 10, 2026Updated: April 10, 2026Remote Exploitable
Overview
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint, letting authenticated operators with write access bypass profile mutation restrictions and disrupt browser operations.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers can stop the browser, close connections, and move profile directories to Trash, causing denial of service and privilege boundary crossing.
Mitigation
Upgrade to version 2026.3.24 or later.
References
- https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0
- https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r
- https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request
Related Resources
Details
- CVE ID
- CVE-2026-35653
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H