GHSA-vmhq-cqm9-6p7q: OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes

March 13, 2026

An authorization mismatch in the gateway let an authenticated caller with only operator.write use browser.request to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through /profiles/create.

References

github.com/advisories/GHSA-vmhq-cqm9-6p7q
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.11
github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q

Code Behaviors & Features

Detect and mitigate GHSA-vmhq-cqm9-6p7q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →