CVE-2026-42431

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.8

Description A security bypass exists in the node.invoke(browser.proxy) function that allows the mutation of persistent browser profiles. This flaw enables attackers to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

Recommendations Update to version 2026.4.8 or later. As a temporary workaround, restrict access to the node.invoke(browser.proxy) function to minimize the risk of exploitation.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-42431

GHSA-CMFR-9M2R-XWHQ

Affected Products

Openclaw

CVE-2026-42431

Weakness Enumeration

Related Identifiers

Affected Products

References · 8