Platform
nodejs
Component
openclaw
Fixed in
2026.2.18
CVE-2026-3690 describes an Authentication Bypass vulnerability affecting OpenClaw versions 2026.2.17 through 2026.2.17. This flaw allows remote attackers to bypass authentication controls, potentially leading to unauthorized access and manipulation of the system. The vulnerability stems from an improper implementation of authentication for canvas endpoints. A patch is expected to address this issue.
Successful exploitation of CVE-2026-3690 allows an attacker to bypass authentication entirely, granting them access to the OpenClaw system without valid credentials. This could result in unauthorized data access, modification, or deletion. Depending on the OpenClaw system's configuration and the privileges associated with the bypassed authentication, the attacker could potentially gain control over the entire system. The lack of authentication requirement significantly increases the risk and ease of exploitation.
CVE-2026-3690 was disclosed on 2026-04-11. The vulnerability was reported as ZDI-CAN-29311. Exploitation probability is currently unknown, but the lack of authentication requirement suggests a potentially high risk if the vulnerability is actively targeted. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3690 is to upgrade OpenClaw to a patched version as soon as it becomes available. Since a fixed version is not yet specified, closely monitor the OpenClaw project's website and security advisories for updates. Until a patch is available, consider implementing stricter network segmentation to limit potential access to the OpenClaw instance. Review and harden the OpenClaw configuration to minimize the potential impact of a successful bypass. After upgrade, confirm authentication is required by attempting to access canvas endpoints without credentials.
Update OpenClaw to the patched version. Review the official OpenClaw documentation or GitHub repository for specific upgrade instructions. Ensure that the authentication implementation is reviewed and strengthened to prevent future bypasses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3690 is a vulnerability in OpenClaw versions 2026.2.17-2026.2.17 that allows attackers to bypass authentication, potentially gaining unauthorized access to the system.
You are affected if you are running OpenClaw version 2026.2.17. Monitor OpenClaw's security advisories for patch availability.
Upgrade OpenClaw to a patched version as soon as it becomes available. Until then, implement network segmentation and review configuration settings.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential risk.
Refer to the OpenClaw project's website and security advisories for the latest information and patch releases.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.