CVE-2026-32972
Published: 29 March 2026
Summary
CVE-2026-32972 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing authenticated operators with only operator.write permissions from bypassing to admin-only browser profile management routes.
AC-6 implements least privilege to restrict operator.write users from performing admin functions like creating or modifying browser profiles.
SI-2 requires identification, reporting, and correction of flaws such as this authorization bypass, enabling patching to OpenClaw 2026.3.11 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (CWE-863) in browser.request functionality directly allows low-privileged authenticated users (operator.write) to access admin-only browser profile management routes and persist CDP endpoints, matching Exploitation for Privilege Escalation.
NVD Description
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without…
more
holding operator.admin privileges.
Deeper analysisAI
CVE-2026-32972 is an authorization bypass vulnerability (CWE-863) in OpenClaw versions before 2026.3.11. The flaw resides in the browser.request functionality, which permits authenticated operators holding only operator.write permissions to access admin-only routes for browser profile management.
An authenticated attacker with operator.write privileges can exploit this vulnerability remotely with low attack complexity and no user interaction. Exploitation grants the ability to create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk, bypassing the need for operator.admin privileges. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), reflecting high integrity impact with low availability impact and no confidentiality impact.
Mitigation details are available in the referenced advisories, including the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-browser-profile-management-via-browser-request. Upgrading to OpenClaw 2026.3.11 or later addresses the issue.
Details
- CWE(s)