CVE-2026-3690

HIGH

OpenClaw Canvas Authentication Bypass Vulnerability

Title source: cna

Description

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

References (2)

[X_Research Advisory] https://www.zerodayinitiative.com/advisories/ZDI-26-228/

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf

Scores

CVSS v3 7.4

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-291

Status published

Products (1)

OpenClaw/OpenClaw 2026.2.17

Published Apr 11, 2026

Tracked Since Apr 11, 2026