Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector with no privileges required; scope changed to capture high downstream C/I impact; UI:R and AC:H reflect the user interaction and complexity prerequisites from the 4.0 vector.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions. Attackers can perform actions requiring stronger authorization by submitting crafted requests through configured input paths, bypassing intended policy checks.
AnalysisAI
Authentication bypass in OpenClaw before 2026.6.5 enables lower-trust network callers to forge A2UI actions that require higher authorization by submitting crafted HTTP Canvas responses through configured input paths. The flaw (CWE-345: Insufficient Verification of Data Authenticity) allows an attacker to subvert OpenClaw's trust hierarchy and execute privileged actions on downstream systems (SC:H/SI:H per CVSS 4.0), without any direct impact on the OpenClaw instance itself. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to operate as or manipulate a lower-trust caller within OpenClaw's trust model and have the ability to submit HTTP Canvas responses through at least one configured input path in the target deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N) indicates network reachability with no required privileges, but the combination of high attack complexity (AC:H) and active user interaction (UI:A) significantly constrains opportunistic exploitation - an attacker must engineer specific conditions and likely involve a user action to trigger the trust bypass. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a lower-trust caller role - or who can manipulate such a caller - crafts a malicious HTTP Canvas response payload and injects it through a configured input path in OpenClaw, embedding forged A2UI action metadata that falsely asserts a higher trust level. The high attack complexity and active user interaction requirement (AC:H/UI:A) suggest the attacker must engineer a specific trigger condition, such as inducing a legitimate user to interact with content that initiates the forged Canvas response flow. … |
| Remediation | Upgrade to OpenClaw version 2026.6.5 or later, which is the first release addressing this authentication bypass; the 'before 2026.6.5' affected range in the CVE description identifies this as the remediated boundary. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45103
GHSA-2x3r-854j-qm5f