CVE-2026-3690

EUVD-2026-21622

11.04.2026, 01:16

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Affected Products (NVD)

Vendor	Product	Version
openclaw	openclaw	𝑥 < 2026.2.19

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-291 - Reliance on IP Address for Authentication
The software uses an IP address for authentication.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf

https://www.zerodayinitiative.com/advisories/ZDI-26-228/