ZDI 2026-03-30

ZDI-26-227: OpenClaw Canvas Path Traversal Information Disclosure Vulnerability

CVE-2026-3689

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires authentication to exploit and could lead to information disclosure via path traversal in OpenClaw.

Context

The affected product is OpenClaw, specifically related to its Canvas component. The vulnerability is a path traversal issue that enables remote information disclosure. The advisory notes that authentication is required to exploit the vulnerability. Worth noting is that the CVSS score is rated at 6.5, indicating a medium severity impact.

Operator considerations

Check: Verify if OpenClaw Canvas is deployed and identify its version.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2026-3689.

Read the full advisory on ZDI →