OpenClaw Authentication Bypass Vulnerability in Canvas Gateway
Vulnerability
A vulnerability allowing authentication bypass has been identified in OpenClaw versions prior to 2026.3.23. The issue resides in the Canvas gateway, specifically within the 'authorizeCanvasRequest()' function, which improperly handles local-direct requests. This function allows such requests to bypass authentication checks for bearer tokens and Canvas capabilities. As a result, attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes, gaining unauthorized access.
Impact
Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to Canvas routes via loopback HTTP and WebSocket requests.
Reproduction
The vulnerability can be reproduced by sending loopback HTTP or WebSocket requests to Canvas routes without including a bearer token or Canvas capability. By default, these requests will be denied. However, if the 'authorizeCanvasRequest()' function is called with a local-direct request, the authentication checks will be bypassed, allowing access to the Canvas routes.
Remediation
Users can upgrade to OpenClaw version 2026.3.23 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.