CVE-2026-32972

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11

Description An authorization bypass exists that allows authenticated operators with operator.write permission to access admin-only browser profile management routes via browser.request. This allows attackers to create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without operator.admin privileges. The affected API endpoint is browser.request.

Recommendations Update to version 2026.3.11 or later.