CVE-2026-41353
Published: 23 April 2026
Summary
CVE-2026-41353 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Proxy (T1090); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing bypass of profile restrictions via persistent mutation and runtime selection in OpenClaw.
Implements a reference monitor mechanism to mediate all access control decisions, blocking unauthorized circumvention of allowProfiles restrictions.
Requires timely remediation of identified flaws like CVE-2026-41353, eliminating the access control bypass through patching to version 2026.3.22 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The access control bypass allows runtime mutation and selection of restricted browser proxy profiles, directly enabling unauthorized proxy usage for traffic redirection or C2.
NVD Description
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime…
more
to access restricted profiles and bypass intended access controls.
Deeper analysisAI
CVE-2026-41353 is an access control bypass vulnerability affecting OpenClaw versions prior to 2026.3.22, specifically in the allowProfiles feature. The flaw enables attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection, allowing manipulation of browser proxy profiles at runtime to access restricted profiles and evade intended access controls. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-472.
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidential data and enables integrity violations by bypassing profile-based restrictions, potentially allowing unauthorized use of restricted browser proxy configurations.
Advisories and the referenced patch commit recommend upgrading to OpenClaw 2026.3.22 or later, where the vulnerability is fixed via commit eac93507c36ccd0c359fba18fa466ef6448be8a5. Additional details are available in the GitHub Security Advisory GHSA-h5hg-h7rr-gpf3 and VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection.
Details
- CWE(s)