CVE-2026-42431
Published: 28 April 2026
Summary
CVE-2026-42431 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the security bypass in node.invoke(browser.proxy), preventing exploitation through patching to OpenClaw 2026.4.8 or later.
Enforces approved authorizations to block unauthorized mutations of persistent browser profiles, directly countering the CWE-863 authorization bypass vulnerability.
Monitors software and configuration integrity to identify unauthorized changes to persistent browser profiles and configurations resulting from the exploit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses persistent browser profile mutation guard, directly enabling unauthorized profile/config modifications that facilitate browser extension installation for persistence (T1176.001) and access to stored credentials/cookies in profiles (T1555.003).
NVD Description
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.
Deeper analysisAI
CVE-2026-42431 is a security bypass vulnerability (CWE-863) in OpenClaw versions prior to 2026.4.8. The flaw exists in the node.invoke(browser.proxy) function, which permits mutation of persistent browser profiles. This allows attackers to circumvent the browser.request persistent profile-mutation guard, enabling unauthorized modifications to browser configurations. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-04-28.
Attackers with low privileges (PR:L) can exploit this issue remotely over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation grants high confidentiality and integrity impacts (C:H/I:H), allowing modification of persistent browser profiles and configurations, which could lead to persistent unauthorized changes in browser behavior or data access.
Mitigation is addressed in OpenClaw commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, fixing the issue in version 2026.4.8 and later. Security advisories, including GitHub's GHSA-cmfr-9m2r-xwhq and VulnCheck's advisory on the persistent profile mutation bypass, recommend updating to the patched version and reviewing affected deployments for proper profile guards.
Details
- CWE(s)