OpenClaw Node Browser Proxy Allows Bypass of Access Controls

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.6

OpenClaw Node Browser Proxy Allows Bypass of Access Controls

GHSA-h5hg-h7rr-gpf3

Summary

A security issue in OpenClaw's node browser proxy allows an attacker to bypass access controls and gain unauthorized access to profiles. This means that sensitive data may be exposed if you're using an outdated version of OpenClaw. To fix this, update to version 2026.3.22 or later.

What to do

Update openclaw to version 2026.3.22.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.13-1	2026.3.22

Original title

OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection

Original description

## Summary
Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection

## Current Maintainer Triage
- Normalized severity: high
- Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and shipped in v2026.3.22+, so keep open for publish rather than close.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.13-1`
- Patched versions: `>= 2026.3.22`
- First stable tag containing the fix: `v2026.3.22`

## Fix Commit(s)
- `eac93507c36ccd0c359fba18fa466ef6448be8a5` — 2026-03-23T00:56:44-07:00

OpenClaw thanks @smaeljaish771 for reporting.

ghsa CVSS4.0 7.6

Vulnerability type

CWE-863 Incorrect Authorization

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026