Description
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.
References (2)
Core 2
Core References
X_Research Advisory x_research-advisory
ZDI-26-228
https://www.zerodayinitiative.com/advisories/ZDI-26-228/
Vendor Advisory vendor-advisory
vendor-provided URL
https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf
Scores
CVSS v3
7.4
EPSS
0.0067
EPSS Percentile
47.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-291
Status
published
Products (2)
openclaw/openclaw
< 2026.2.19
OpenClaw/OpenClaw
2026.2.17
Published
Apr 11, 2026
Tracked Since
Apr 11, 2026