Cyber Resilience

CVE-2026-42431

HighPublic PoC

Published: 28 April 2026

Published
28 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42431 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42431 is a security bypass vulnerability (CWE-863) in OpenClaw versions prior to 2026.4.8. The flaw exists in the node.invoke(browser.proxy) function, which permits mutation of persistent browser profiles. This allows attackers to circumvent the browser.request persistent profile-mutation guard, enabling unauthorized modifications to browser configurations. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-04-28.

Attackers with low privileges (PR:L) can exploit this issue remotely over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation grants high confidentiality and integrity impacts (C:H/I:H), allowing modification of persistent browser profiles and configurations, which could lead to persistent unauthorized changes in browser behavior or data access.

Mitigation is addressed in OpenClaw commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, fixing the issue in version 2026.4.8 and later. Security advisories, including GitHub's GHSA-cmfr-9m2r-xwhq and VulnCheck's advisory on the persistent profile mutation bypass, recommend updating to the patched version and reviewing affected deployments for proper profile guards.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
T1555.003 Credentials from Web Browsers Credential Access
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Why these techniques?

Vulnerability bypasses persistent browser profile mutation guard, directly enabling unauthorized profile/config modifications that facilitate browser extension installation for persistence (T1176.001) and access to stored credentials/cookies in profiles (T1555.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-32914Same product: Openclaw Openclaw
CVE-2026-28392Same product: Openclaw Openclaw
CVE-2026-43530Same product: Openclaw Openclaw
CVE-2026-28474Same product: Openclaw Openclaw
CVE-2026-42429Same product: Openclaw Openclaw
CVE-2026-34512Same product: Openclaw Openclaw
CVE-2026-33579Same product: Openclaw Openclaw
CVE-2026-32915Same product: Openclaw Openclaw
CVE-2026-42422Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the security bypass in node.invoke(browser.proxy), preventing exploitation through patching to OpenClaw 2026.4.8 or later.

prevent

Enforces approved authorizations to block unauthorized mutations of persistent browser profiles, directly countering the CWE-863 authorization bypass vulnerability.

detect

Monitors software and configuration integrity to identify unauthorized changes to persistent browser profiles and configurations resulting from the exploit.

References