216.73.216.86

CVE-2026-35653

· Published 10/04/2026 17:17 · Modified 10/04/2026 17:17

Labels: CVE-2026-35653 2026-04-10CVE-2026-35653CWE-863[email protected]

Essential information

Published
10/04/2026 17:17
Modified
10/04/2026 17:17
Author
Creator
CVSS
7.2 HIGH (v3) 7.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openclaw / openclaw cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*

References