CVE-2026-35634
Authentication Bypass in OpenClaw Canvas Gateway Enables Unauthorized Access
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.23 and involves an authentication bypass in the Canvas gateway. Specifically, the function authorizeCanvasRequest() allows local-direct requests without properly validating bearer tokens or canvas capabilities. This means attackers can send unauthenticated HTTP and WebSocket requests from the loopback interface to Canvas routes and bypass authentication controls.
How can this vulnerability impact me? :
The vulnerability allows attackers to gain unauthorized access to the Canvas routes by bypassing authentication. This could lead to unauthorized actions or access to sensitive information within the affected system, potentially compromising system integrity and confidentiality.