PT-2026-32310 · Npm · Openclaw

Published

2026-04-03

·

Updated

2026-04-03

CVSS v4.0

7.6

High

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection

Current Maintainer Triage

  • Status: open
  • Normalized severity: high
  • Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and shipped in v2026.3.22+, so keep open for publish rather than close.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.13-1
  • Patched versions: >= 2026.3.22
  • First stable tag containing the fix: v2026.3.22

Fix Commit(s)

  • eac93507c36ccd0c359fba18fa466ef6448be8a5 — 2026-03-23T00:56:44-07:00

Release Process Note

  • The fix is already present in released version 2026.3.22.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @smaeljaish771 for reporting.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-H5HG-H7RR-GPF3

Affected Products

Openclaw