CVE
GHSA-h5hg-h7rr-gpf3
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
Summary
Node browser proxy allowProfiles bypass through persistent profile mutation and runtime profile selection
Current Maintainer Triage
- Status: open
- Normalized severity: high
- Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and shipped in v2026.3.22+, so keep open for publish rather than close.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.13-1 - Patched versions:
>= 2026.3.22 - First stable tag containing the fix:
v2026.3.22
Fix Commit(s)
eac93507c36ccd0c359fba18fa466ef6448be8a5— 2026-03-23T00:56:44-07:00
Release Process Note
- The fix is already present in released version
2026.3.22. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @smaeljaish771 for reporting.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
8.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3, https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
