CVE-2026-41353HIGH 8.1EPSS p25.2%

CVE-2026-41353CVE-2026-41353

Description

OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.34% probability of exploitation · percentile 25.2% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-05-01

Underlying weaknesses· 1

CWE-472

References

  1. https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3
  3. https://www.vulncheck.com/advisories/openclaw-allowprofiles-bypass-via-profile-mutation-and-runtime-selection

1

TypeTargetConfidenceTier
WeaknessExternal Control of Assumed-Immutable Web Parametercwe-4720%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42431
CVE
CVE-2026-41394
CVE
CVE-2026-35653
CVE
CVE-2026-41342
CVE
CVE-2026-35673
CVE
CVE-2026-35638
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.