CVE-2026-3690

HIGH 7.4

OpenClaw Canvas Authentication Bypass Vulnerability

CVSS Score

7.4

EPSS Score

0.1%

EPSS Percentile

33th

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

CWE	CWE-291
Vendor	openclaw
Product	openclaw
Published	Apr 11, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Versions

OpenClaw / OpenClaw

2026.2.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zerodayinitiative.com: https://www.zerodayinitiative.com/advisories/ZDI-26-228/ github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf