OpenClaw version 2026.3.22 ships with a high-severity authorization flaw. An authenticated user with access only to the operator.write surface via browser.request can still execute POST /reset-profile. This resets persistent browser profiles, wiping out local data directories. The issue persists despite a prior fix in GHSA-vmhq-cqm9-6p7q that blocked similar profile mutations like creation and deletion.
Update to 2026.3.24 immediately. That’s the current shipping release with the patch. CVSS v3.1 scores it 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) under CWE-863: Incorrect Authorization. Low-privilege callers bypass intended gates, hitting destructive endpoints.
Why This Hits Hard
Persistent browser profiles store userDataDir locally—think cookies, extensions, session state for automated testing or scraping with Playwright. A reset via this path:
- Stops the running browser instance.
- Closes the Playwright connection.
- Moves the entire userDataDir to Trash if it exists.
This disrupts availability and integrity in production automation pipelines. Imagine a CI/CD job or monitoring service relying on stable profiles; one bad actor with operator.write access nukes them. It’s not theoretical—tests confirm the routes execute fully.
The prior advisory fixed POST /profiles/create and DELETE /profiles/:name, but overlooked POST /reset-profile. Developers reused the same isPersistentBrowserProfileMutation classifier everywhere except here, creating a regression gap.
Exact Attack Surface
Affected component: OpenClaw release tag v2026.3.22, commit e7d11f6c33e223a0dd8a21cfe01076bd76cef87a. Packaged as openclaw-2026.3.22.tgz, built from 4dcc39c25c6cc63fedfd004f52d173716576fcf0 on 2026-03-23T10:56:05.946Z.
Vulnerable code paths:
src/gateway/method-scopes.ts:114: Placesbrowser.requestonoperator.write.src/gateway/server-methods/browser.ts:155-165: Denies requests only ifisPersistentBrowserProfileMutation(method, path)returns true.src/browser/request-policy.ts:19-25: Classifier missesPOST /reset-profile, catching only create/delete.src/browser/routes/basic.ts:161-170: Exposes the reset endpoint.src/browser/server-context.reset.ts:37-63:resetProfile()performs the destruction.src/node-host/invoke-browser.ts:240-243: Reuses the flawed helper in proxy paths.
Tests in src/gateway/server-methods/browser.profile-from-body.test.ts:104-140 cover the fixed paths but skip reset, exposing the coverage hole.
Broader Context and Fixes
OpenClaw gates browser automation through a Gateway with scoped methods, separating operator controls from profile management. This flaw erodes that model—operator.write shouldn’t touch profiles at all. In multi-tenant or shared environments, it risks sabotage: a low-priv user disrupts others’ sessions.
Why recurrent? The fix pattern relied on a single mutation checker without exhaustive route mapping. Fair to say maintainers addressed the obvious vectors but missed an edge case. Skeptical note: Release cadence (2026.3.22 to .24) suggests rapid iteration, but shipping untested regressions questions QA depth.
Mitigate now: Upgrade to v2026.3.24. Audit your scopes—revoke unnecessary operator.write if possible. Monitor logs for /reset-profile calls. If pinned to .22, proxy or firewall-block the endpoint as interim.
This matters because browser persistence underpins reliable automation. One reset cascades: failed tests, lost state, downtime. In crypto/trading bots or security scanners (common Playwright use), it amplifies to financial or recon loss. Patch fast, scope tight, test comprehensively—or pay later.
