OpenClaw versions prior to 2026.3.11 contain a mis‑authorization flaw that allows operators with only write permissions to call browser‑profile‑management routes that are normally restricted to administrators. By sending requests through the browser.request interface, an attacker can create new browser profiles or modify existing ones and persist custom CDP (Chrome DevTools Protocol) endpoints to disk. This unauthorized configuration change can tamper with browser behavior and potentially expose the system to further exploitation, but the CVE description does not claim remote code execution. The underlying weakness is a classic authorization bypass (CWE‑863).

Any installation of OpenClaw distributed by OpenClaw running a version older than 2026.3.11 is affected. No finer granularity of impacted releases is specified beyond the cutoff.

The CVSS score of 7.1 indicates a high severity impact. The vulnerability requires no special conditions beyond an authenticated operator with write access, so insiders or compromised operator accounts can exploit it. EPSS data is not provided and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is through the web API, specifically by crafting HTTP requests sent via the browser.request endpoint; this inference is drawn from the CVE description, which states that attackers can issue such requests. Because the flaw is an authentication bypass, exploitation is relatively user‑friendly once an authorized session exists.