Lucene search
+L

5 matches found

Github Security Blog
Github Security Blog
added 2026/03/26 6:59 p.m.8 views

OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication

Summary Before v2026.3.23, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because authorizeCanvasRequest... treated isLocalDirectRequest... as an unconditional allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.23 -...

5.1CVSS5.9AI score0.00141EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/26 6:59 p.m.11 views

GHSA-6MQC-JQH6-X8FC OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication

Summary Before v2026.3.23, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because authorizeCanvasRequest... treated isLocalDirectRequest... as an unconditional allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.23 -...

6.9CVSS5.8AI score0.00141EPSS
Exploits0References6
Snyk
Snyk
added 2026/03/03 11:17 p.m.3 views

Improper Restriction of Rendered UI Layers or Frames

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames in the canvas route authorization process. An attacker can gain unauthorized access to restricted routes by exploiting insufficient...

8.7CVSS5.8AI score
Exploits0References3
OSV
OSV
added 2026/03/03 11:17 p.m.2 views

GHSA-CJV3-M589-V3RX OpenClaw has Canvas route hardening for mixed-trust deployments

Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Som...

6.3CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/03 11:17 p.m.11 views

OpenClaw has Canvas route hardening for mixed-trust deployments

Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Som...

5.9AI score
Exploits0References4Affected Software1
Rows per page
Query Builder