CVE-2026-42431:

CVE-2026-42431 is a security bypass vulnerability in OpenClaw before version 2026.4.8 that allows authenticated attackers to mutate persistent browser profiles by exploiting the `node.invoke(browser.proxy)` path to circumvent the `browser.request` persistent profile-mutation guard.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.1High

Published Date:Apr 28, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.2
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:NONE

Description Preview

Overview

CVE-2026-42431 affects OpenClaw prior to version 2026.4.8 and represents an incorrect authorization flaw (CWE-863) in which the `node.invoke(browser.proxy)` execution path does not enforce the persistent profile-mutation guard that protects the `browser.request` pathway. This architectural inconsistency allows a low-privileged remote attacker, under certain preconditions, to bypass access controls and both read and alter persistent browser profile configurations. The vulnerability poses a significant risk to confidentiality and integrity, with a CVSS v3.1 score of 8.1 (HIGH) and a CVSS v4.0 score of 7.6 (HIGH).

Remediation

Users and administrators running OpenClaw should upgrade to version **2026.4.8 or later** immediately, as this release contains the patch that addresses the security bypass. The fix was introduced in commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. Organizations that cannot immediately upgrade should consider restricting access to affected OpenClaw instances at the network perimeter and auditing browser profile configurations for unauthorized modifications as an interim mitigation measure.