CVE-2026-3690

HIGH

OpenClaw Canvas Authentication Bypass Vulnerability

Title source: cna
STIX 2.1

Description

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

References (2)

Core 2
Core References
X_Research Advisory x_research-advisory
ZDI-26-228
https://www.zerodayinitiative.com/advisories/ZDI-26-228/
Vendor Advisory vendor-advisory
vendor-provided URL
https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf

Scores

CVSS v3 7.4
EPSS 0.0067
EPSS Percentile 47.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-291
Status published
Products (2)
openclaw/openclaw < 2026.2.19
OpenClaw/OpenClaw 2026.2.17
Published Apr 11, 2026
Tracked Since Apr 11, 2026