ZDI 2026-03-30

ZDI-26-228: OpenClaw Canvas Authentication Bypass Vulnerability

CVE-2026-3690

Machine-generated analysis · WAYSCloud LLM

The advisory notes that authentication is not required to exploit the vulnerability, indicating potential for unauthenticated remote access.

Context

The OpenClaw Canvas component is affected by an authentication bypass vulnerability. The vulnerability allows remote attackers to bypass authentication on affected installations. The advisory explicitly states that no authentication is needed to exploit the issue. Worth noting, the CVSS score is rated 7.4, reflecting the impact and exploitability as assessed by the ZDI.

Operator considerations

Check: Determine if OpenClaw Canvas is deployed in the environment.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.4. The following CVEs are assigned: CVE-2026-3690.

Read the full advisory on ZDI →