CVE-2026-41353 HIGH

CVE-2026-41353: OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection

Vendor Openclaw
Product OpenClaw
Weakness CWE-472
Published April 23, 2026
Last update April 25, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 25, 2026 Record updated