GHSA-XP9R-PRPG-373R

Vulnerability from github – Published: 2026-03-30 19:05 – Updated: 2026-04-10 17:24
VLAI?
Summary
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
Details

Fixed in OpenClaw 2026.3.24, the current shipping release.

Title

browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q

Severity Assessment

High

CWE:

  • CWE-863: Incorrect Authorization

Proposed CVSS v3.1:

  • 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

An authenticated caller who only has access to the scoped Gateway method browser.request on the operator.write surface can still reach a destructive persistent-profile management route.

Likely related advisory family:

  • GHSA-vmhq-cqm9-6p7q

This should be treated as a later-version residual or incomplete fix. The earlier fix blocked POST /profiles/create and profile deletion, but the latest released v2026.3.22 code still omits POST /reset-profile from the same mutation gate.

Impact

A caller with operator.write access to browser.request can still trigger persistent profile reset via POST /reset-profile.

This crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface.

In practice, the allowed route reaches destructive behavior that can:

  • stop the running browser for that profile
  • close the Playwright browser connection for that profile
  • move the profile's local userDataDir to Trash when it exists

This is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects.

Affected Component

Product:

  • openclaw

Tested latest released version:

  • release tag: v2026.3.22
  • release tag target commit (peeled tag): e7d11f6c33e223a0dd8a21cfe01076bd76cef87a

Published artifact for that release:

  • package: openclaw-2026.3.22.tgz
  • package build-info commit: 4dcc39c25c6cc63fedfd004f52d173716576fcf0
  • package build-info timestamp: 2026-03-23T10:56:05.946Z

Exact vulnerable paths on the shipped tag:

  • src/gateway/method-scopes.ts:114
  • browser.request is placed on the operator.write surface
  • src/gateway/server-methods/browser.ts:155-165
  • requests are only denied when isPersistentBrowserProfileMutation(method, path) returns true
  • src/browser/request-policy.ts:19-25
  • the mutation classifier recognizes POST /profiles/create and DELETE /profiles/:name, but not POST /reset-profile
  • src/browser/routes/basic.ts:161-170
  • the browser server exposes POST /reset-profile
  • src/browser/server-context.reset.ts:37-63
  • resetProfile() stops the browser, closes the connection, and moves the local profile directory to Trash when present
  • src/node-host/invoke-browser.ts:240-243
  • the same route-classification helper is reused in the browser proxy path when profile restrictions are active

Relevant regression coverage gap on the shipped tag:

  • src/gateway/server-methods/browser.profile-from-body.test.ts:104-140
  • tests only block POST /profiles/create and DELETE /profiles/:name
  • there is no equivalent deny case for POST /reset-profile

Published artifact evidence for the exact released package:

  • openclaw-2026.3.22.tgz::package/dist/build-info.json
  • openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525
  • openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485
  • openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12
  • openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889

Important release note:

  • the published package build-info commit differs from the release tag target commit
  • for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path

Technical Reproduction

A direct control/exploit pair can be reproduced against the latest released version.

Preconditions:

  • use openclaw@2026.3.22
  • authenticate as a caller that has access to the scoped Gateway method browser.request
  • keep that caller on operator.write, not operator.admin
  • ensure the target local browser profile exists

Reproduction steps:

  1. Call browser.request with:
  2. method: "POST"
  3. path: "/profiles/create"
  4. body: { "name": "poc-profile" }
  5. Observe the control case is rejected with:
  6. browser.request cannot create or delete persistent browser profiles
  7. Call browser.request again with:
  8. method: "POST"
  9. path: "/reset-profile"
  10. body: { "profile": "poc-profile", "name": "poc-profile" }
  11. Observe that the exploit case is not rejected by the same handler.
  12. Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier.
  13. Observe that the reset route succeeds and applies profile reset behavior.

Why this happens in the released code:

  • the release tries to gate persistent profile mutation using isPersistentBrowserProfileMutation(...)
  • that helper does not classify POST /reset-profile as a protected mutation
  • the exposed browser server route still maps /reset-profile to profileCtx.resetProfile()
  • resetProfile() performs state-changing behavior on the selected local profile

Demonstrated Impact

The shipped release shows the following behavior difference:

Control case:

  • POST /profiles/create
  • rejected before the request is dispatched to the browser control path

Exploit case:

  • POST /reset-profile
  • not classified as a blocked mutation
  • remains reachable through the browser.request surface
  • reaches resetProfile(), which performs destructive profile-management operations

The reached route has concrete side effects:

  • stops the running browser if active
  • closes the Playwright browser connection
  • moves the profile's local userDataDir to Trash if it exists

This is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of browser.request by itself.

Environment

Environment used for validation:

  • product: openclaw
  • latest released version: 2026.3.22
  • release tag: v2026.3.22
  • release tag target commit (peeled tag): e7d11f6c33e223a0dd8a21cfe01076bd76cef87a
  • published package: openclaw-2026.3.22.tgz
  • published package build-info commit: 4dcc39c25c6cc63fedfd004f52d173716576fcf0

Explicit trust-model statement:

  • this report does not rely on adversarial or mutually untrusted operators sharing one gateway host or config

Scope check:

  • this is not a complaint about the existence of the explicit browser.request surface by itself
  • this is not a prompt-injection-only report
  • this is not a multi-tenant shared-gateway claim
  • this is not an attack on the unscoped HTTP compatibility endpoints
  • this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method
  • the control case proves the policy is intended to exist on this surface, and the exploit case proves POST /reset-profile remains outside that gate in the shipped release

Remediation Advice

Recommended fix:

  1. Extend the persistent-profile mutation classifier to include POST /reset-profile.
  2. Reuse the same centralized route classification everywhere the release currently relies on isPersistentBrowserProfileMutation(...), including:
  3. src/gateway/server-methods/browser.ts
  4. src/node-host/invoke-browser.ts
  5. Add regression coverage with both:
  6. a deny control for POST /reset-profile on the lower-privilege browser.request surface
  7. an allow control for non-mutating browser profile reads
  8. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.
  9. Treat GHSA-vmhq-cqm9-6p7q as the prior family and close the remaining residual route in the same policy surface.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T19:05:11Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n# Title\n\n`browser.request` still allows `POST /reset-profile` through the `operator.write` surface in OpenClaw `v2026.3.22` after `GHSA-vmhq-cqm9-6p7q`\n\n## Severity Assessment\n\nHigh\n\nCWE:\n\n- `CWE-863: Incorrect Authorization`\n\nProposed CVSS v3.1:\n\n- `8.1` (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H`)\n\nAn authenticated caller who only has access to the scoped Gateway method `browser.request` on the `operator.write` surface can still reach a destructive persistent-profile management route.\n\nLikely related advisory family:\n\n- `GHSA-vmhq-cqm9-6p7q`\n\nThis should be treated as a later-version residual or incomplete fix. The earlier fix blocked `POST /profiles/create` and profile deletion, but the latest released `v2026.3.22` code still omits `POST /reset-profile` from the same mutation gate.\n\n## Impact\n\nA caller with `operator.write` access to `browser.request` can still trigger persistent profile reset via `POST /reset-profile`.\n\nThis crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface.\n\nIn practice, the allowed route reaches destructive behavior that can:\n\n- stop the running browser for that profile\n- close the Playwright browser connection for that profile\n- move the profile\u0027s local `userDataDir` to Trash when it exists\n\nThis is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects.\n\n## Affected Component\n\nProduct:\n\n- `openclaw`\n\nTested latest released version:\n\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n\nPublished artifact for that release:\n\n- package: `openclaw-2026.3.22.tgz`\n- package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n- package build-info timestamp: `2026-03-23T10:56:05.946Z`\n\nExact vulnerable paths on the shipped tag:\n\n- `src/gateway/method-scopes.ts:114`\n  - `browser.request` is placed on the `operator.write` surface\n- `src/gateway/server-methods/browser.ts:155-165`\n  - requests are only denied when `isPersistentBrowserProfileMutation(method, path)` returns true\n- `src/browser/request-policy.ts:19-25`\n  - the mutation classifier recognizes `POST /profiles/create` and `DELETE /profiles/:name`, but not `POST /reset-profile`\n- `src/browser/routes/basic.ts:161-170`\n  - the browser server exposes `POST /reset-profile`\n- `src/browser/server-context.reset.ts:37-63`\n  - `resetProfile()` stops the browser, closes the connection, and moves the local profile directory to Trash when present\n- `src/node-host/invoke-browser.ts:240-243`\n  - the same route-classification helper is reused in the browser proxy path when profile restrictions are active\n\nRelevant regression coverage gap on the shipped tag:\n\n- `src/gateway/server-methods/browser.profile-from-body.test.ts:104-140`\n  - tests only block `POST /profiles/create` and `DELETE /profiles/:name`\n  - there is no equivalent deny case for `POST /reset-profile`\n\nPublished artifact evidence for the exact released package:\n\n- `openclaw-2026.3.22.tgz::package/dist/build-info.json`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485`\n- `openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12`\n- `openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889`\n\nImportant release note:\n\n- the published package build-info commit differs from the release tag target commit\n- for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path\n\n## Technical Reproduction\n\nA direct control/exploit pair can be reproduced against the latest released version.\n\nPreconditions:\n\n- use `openclaw@2026.3.22`\n- authenticate as a caller that has access to the scoped Gateway method `browser.request`\n- keep that caller on `operator.write`, not `operator.admin`\n- ensure the target local browser profile exists\n\nReproduction steps:\n\n1. Call `browser.request` with:\n   - `method: \"POST\"`\n   - `path: \"/profiles/create\"`\n   - `body: { \"name\": \"poc-profile\" }`\n2. Observe the control case is rejected with:\n   - `browser.request cannot create or delete persistent browser profiles`\n3. Call `browser.request` again with:\n   - `method: \"POST\"`\n   - `path: \"/reset-profile\"`\n   - `body: { \"profile\": \"poc-profile\", \"name\": \"poc-profile\" }`\n4. Observe that the exploit case is not rejected by the same handler.\n5. Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier.\n6. Observe that the reset route succeeds and applies profile reset behavior.\n\nWhy this happens in the released code:\n\n- the release tries to gate persistent profile mutation using `isPersistentBrowserProfileMutation(...)`\n- that helper does not classify `POST /reset-profile` as a protected mutation\n- the exposed browser server route still maps `/reset-profile` to `profileCtx.resetProfile()`\n- `resetProfile()` performs state-changing behavior on the selected local profile\n\n## Demonstrated Impact\n\nThe shipped release shows the following behavior difference:\n\nControl case:\n\n- `POST /profiles/create`\n- rejected before the request is dispatched to the browser control path\n\nExploit case:\n\n- `POST /reset-profile`\n- not classified as a blocked mutation\n- remains reachable through the `browser.request` surface\n- reaches `resetProfile()`, which performs destructive profile-management operations\n\nThe reached route has concrete side effects:\n\n- stops the running browser if active\n- closes the Playwright browser connection\n- moves the profile\u0027s local `userDataDir` to Trash if it exists\n\nThis is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of `browser.request` by itself.\n\n## Environment\n\nEnvironment used for validation:\n\n- product: `openclaw`\n- latest released version: `2026.3.22`\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n- published package: `openclaw-2026.3.22.tgz`\n- published package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n\nExplicit trust-model statement:\n\n- this report does **not** rely on adversarial or mutually untrusted operators sharing one gateway host or config\n\nScope check:\n\n- this is **not** a complaint about the existence of the explicit `browser.request` surface by itself\n- this is **not** a prompt-injection-only report\n- this is **not** a multi-tenant shared-gateway claim\n- this is **not** an attack on the unscoped HTTP compatibility endpoints\n- this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method\n- the control case proves the policy is intended to exist on this surface, and the exploit case proves `POST /reset-profile` remains outside that gate in the shipped release\n\n## Remediation Advice\n\nRecommended fix:\n\n1. Extend the persistent-profile mutation classifier to include `POST /reset-profile`.\n2. Reuse the same centralized route classification everywhere the release currently relies on `isPersistentBrowserProfileMutation(...)`, including:\n   - `src/gateway/server-methods/browser.ts`\n   - `src/node-host/invoke-browser.ts`\n3. Add regression coverage with both:\n   - a deny control for `POST /reset-profile` on the lower-privilege `browser.request` surface\n   - an allow control for non-mutating browser profile reads\n4. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.\n5. Treat `GHSA-vmhq-cqm9-6p7q` as the prior family and close the remaining residual route in the same policy surface.",
  "id": "GHSA-xp9r-prpg-373r",
  "modified": "2026-04-10T17:24:50Z",
  "published": "2026-03-30T19:05:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.