OpenClaw Node Browser Proxy Allows Unintended Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

OpenClaw Node Browser Proxy Allows Unintended Access

GHSA-h5hg-h7rr-gpf3

Summary

Some versions of OpenClaw's Node browser proxy allow unauthorized access to profiles. This can happen when a malicious user exploits a weakness in the way profiles are handled. To fix this, update OpenClaw to version 2026.3.22 or later.

What to do

Update openclaw to version 2026.3.22.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.22	2026.3.22

Original title

OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection

Original description

## Summary
Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection

## Current Maintainer Triage
- Normalized severity: high
- Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and shipped in v2026.3.22+, so keep open for publish rather than close.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.13-1`
- Patched versions: `>= 2026.3.22`
- First stable tag containing the fix: `v2026.3.22`

## Fix Commit(s)
- `eac93507c36ccd0c359fba18fa466ef6448be8a5` — 2026-03-23T00:56:44-07:00

OpenClaw thanks @smaeljaish771 for reporting.

osv CVSS4.0 8.6

Vulnerability type

CWE-863 Incorrect Authorization

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026