{"data":{"id":"51368ff5-4510-4298-8ef1-7fdc788620c7","title":"GHSA-cmfr-9m2r-xwhq: OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard","summary":"OpenClaw, a user-controlled local assistant, had a security flaw where `node.invoke(browser.proxy)` could bypass the `browser.request` guard and modify persistent browser profiles (stored settings that shouldn't be changed without permission). The vulnerability affected versions up to v2026.04.01.","solution":"Update to patched version `2026.4.8` or later. The fix is available in npm and was verified in commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-cmfr-9m2r-xwhq","publishedAt":"2026-04-09T17:34:21.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.8 (fixed: 2026.4.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-09T17:34:21.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}