CVE-2026-3690

EUVD-2026-21622

11.04.2026, 01:16

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
zdi	CNA	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openclaw	openclaw	2026.2.17	CNA

Common Weakness Enumeration

CWE-291 - Reliance on IP Address for Authentication
The software uses an IP address for authentication.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf

https://www.zerodayinitiative.com/advisories/ZDI-26-228/