CVE-2026-42431: OpenClaw Vulnerability Allows Persistent Browser Profile Mutation
The National Vulnerability Database has disclosed CVE-2026-42431, a high-severity security bypass vulnerability in OpenClaw versions prior to 2026.4.8. This flaw, rated with a CVSS score of 8.1, exists within the node.invoke(browser.proxy) function.
Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard. This allows them to modify and corrupt persistent browser configurations, potentially leading to unauthorized data access, altered user experiences, or further compromise of the system. The vulnerability is classified under CWE-863, highlighting an improper isolation of security-critical resources.
While the National Vulnerability Database did not specify affected products, any organization utilizing OpenClaw should assume they are at risk. This isn’t just about a single browser setting; it’s about an attacker gaining control over how a browser behaves persistently, which can have cascading effects on user trust and system integrity.
What This Means For You
- If your organization uses OpenClaw, you need to immediately identify all instances running versions prior to 2026.4.8. Prioritize patching or upgrading to the latest secure version to mitigate this high-severity security bypass. Audit any systems that interact with OpenClaw for signs of unauthorized browser profile modifications.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42431: OpenClaw node.invoke Browser Profile Mutation
title: CVE-2026-42431: OpenClaw node.invoke Browser Profile Mutation
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
Detects the specific path '/node.invoke(browser.proxy)' used in OpenClaw versions prior to 2026.4.8 to bypass browser request guards and mutate persistent browser profiles. This indicates an attempt to modify browser configurations maliciously.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42431/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
cs-uri|contains:
- '/node.invoke(browser.proxy)'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42431 | Auth Bypass | OpenClaw software versions prior to 2026.4.8 |
| CVE-2026-42431 | Auth Bypass | Vulnerable function: node.invoke(browser.proxy) |
| CVE-2026-42431 | Auth Bypass | Circumvention of browser.request persistent profile-mutation guard |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 22:37 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-28
80 vulnerability disclosures (20 Critical, 60 High) and 25 curated intelligence stories from 9 sources.
OpenClaw CVE-2026-42426: Improper Authorization Allows Node Pairing Bypass
CVE-2026-42426 — OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged...
OpenClaw CVE-2026-42422: Role Bypass Allows Unapproved Token Minting
CVE-2026-42422 — OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device...