CVE-2026-62215
Received Received - Intake

Authentication Bypass in OpenClaw HTTP Canvas Responses

Vulnerability report for CVE-2026-62215, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions. Attackers can perform actions requiring stronger authorization by submitting crafted requests through configured input paths, bypassing intended policy checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.6.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

OpenClaw versions before 2026.6.5 have an authentication bypass flaw in HTTP Canvas responses. Lower-trust callers can forge trusted A2UI actions by sending crafted requests through configured input paths. This bypasses intended policy checks, allowing attackers to perform actions requiring stronger authorization.

Detection Guidance

Check OpenClaw version with command: openclaw --version. If version is before 2026.6.5, the system is vulnerable. Monitor HTTP Canvas responses for unusual A2UI actions or forged requests.

Impact Analysis

Attackers could exploit this to perform unauthorized actions that require higher privileges. The impact depends on the system's configuration and whether lower-trust input can reach the affected feature. Potential consequences include data breaches, unauthorized modifications, or bypassing security controls.

Compliance Impact

This vulnerability could lead to unauthorized access or data exposure, violating compliance requirements for data protection and access controls. Organizations using OpenClaw may fail to meet GDPR's integrity and confidentiality principles or HIPAA's access control safeguards if exploited.

Mitigation Strategies
  • Upgrade OpenClaw to version 2026.6.5 or later immediately.
  • Restrict HTTP Canvas feature to trusted operators only.
  • Disable the HTTP Canvas feature if not required.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart