{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3690", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-07T01:52:51.037Z", "datePublished": "2026-04-11T00:17:32.474Z", "dateUpdated": "2026-04-14T13:28:03.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:17:32.474Z"}, "title": "OpenClaw Canvas Authentication Bypass Vulnerability", "descriptions": [{"lang": "en", "value": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311."}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "versions": [{"version": "2026.2.17", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-291", "description": "CWE-291: Reliance on IP Address for Authentication", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-228/", "name": "ZDI-26-228", "tags": ["x_research-advisory"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-03-07T01:52:51.091Z", "datePublic": "2026-03-30T13:21:46.260Z", "source": {"lang": "en", "value": "Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T03:55:56.908593Z", "id": "CVE-2026-3690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:28:03.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T03:55:56.908593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:33:41.531Z"}}], "cna": {"title": "OpenClaw Canvas Authentication Bypass Vulnerability", "source": {"lang": "en", "value": "Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "versions": [{"status": "affected", "version": "2026.2.17"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-30T13:21:46.260Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-228/", "name": "ZDI-26-228", "tags": ["x_research-advisory"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-03-07T01:52:51.091Z", "descriptions": [{"lang": "en", "value": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-291", "description": "CWE-291: Reliance on IP Address for Authentication"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:17:32.474Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3690", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:28:03.464Z", "dateReserved": "2026-03-07T01:52:51.037Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:17:32.474Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "539A1AE2-E6EC-4FC0-A794-28AA37D76D8E", "versionEndExcluding": "2026.2.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311."}], "id": "CVE-2026-3690", "lastModified": "2026-04-27T17:09:55.803", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:15.990", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-228/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-291"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.2.17"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenClaw", "source": "cna", "vendor": "OpenClaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-11T02:23:38.891869+00:00", "value": {"mitigation_remediation": ["Apply any available OpenClaw patch or upgrade to a version that resolves the authentication bypass.", "If no patch is available, block or restrict external access to Canvas endpoints using firewall rules or a reverse proxy to limit the attack surface.", "Continuously monitor OpenClaw advisories and security bulletins for updates or additional guidance."], "summary": {"action": "Assess Impact", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "OpenClaw product, all installed versions of OpenClaw are potentially affected. The flaw is reported to exist in the canvas authentication function, but no specific version range is identified in the advisory. Systems running OpenClaw should therefore review whether they are running the current version or assess for any unpatched code paths.", "description_and_impact": "The vulnerability resides in the authentication logic for Canvas endpoints in OpenClaw. Because authentication is not enforced, attackers can gain unrestricted access to the system without valid credentials. This flaw permits an attacker to execute any operation that a legitimate authenticated user would be able to perform, potentially exposing sensitive data or modifying system state. The weakness corresponds to improper authentication (CWE-291).", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. The attack vector is inferred to be remote, with an attacker able to trigger the bypass through web requests to Canvas endpoints. No public exploit code is cited, but the ability to authenticate without credentials makes the vulnerability readily exploitable by anyone with network access to the application."}}}}, "created": "2026-04-13T12:42:06.118182+00:00", "updated": "2026-04-13T12:56:50.836206+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}