EUVD-2026-21622
GHSA-93g8-mgqc-w7h9
CVSS VectorNVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionNVD
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.
AnalysisAI
Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all OpenClaw deployments and identify canvas endpoint exposure to untrusted networks; document affected versions. Within 7 days: Implement network-level access controls (firewall rules, WAF policies) to restrict canvas endpoints to authorized users/networks only; contact OpenClaw vendor for patch timeline and interim guidance. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today