CVE-2026-3689 - Vulnerability Details

- OpenClaw Canvas Path Traversal Information Disclosure Vulnerability

Description

OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312.

Published: 2026-04-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows authenticated attackers to read sensitive files on the server by manipulating path parameters to the canvas gateway endpoint. Because the system lacks proper validation of user‑supplied paths, it is possible to traverse directories and access files accessible to the service account. The primary impact is the disclosure of confidential information, such as configuration files or credentials, rather than execution of arbitrary code or denial of service.

Affected Systems

OpenClaw installations are affected; no specific product versions are listed, so all deployed releases of OpenClaw may be vulnerable unless patched.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid authentication, so an attacker must first gain legitimate access or credential compromise. Once authenticated, path traversal can be used to retrieve sensitive files, presenting a moderate overall risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenClaw

unknown

Version	Status	Constraints
`openclaw 2026.2.17`	affected	—

Configuration 1 [-]

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Openclaw

100%

Version	Status	Scheme	Platform
`2026.2.17`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update OpenClaw to the latest released version or apply vendor‑published patch.
Restrict access to the canvas gateway endpoint by limiting authentication to trusted users or roles.
If a patch is unavailable, consider disabling the canvas gateway feature or enforcing strict path validation.
Monitor application logs for anomalous path traversal attempts and unauthorized file access.

Generated by OpenCVE AI on April 11, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00163.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6
https://www.zerodayinitiative.com/advisories/ZDI-26-227/

History

Mon, 27 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:openclaw:openclaw::::::node.js::*

Mon, 13 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openclaw Openclaw openclaw
Vendors & Products		Openclaw Openclaw openclaw

Sat, 11 Apr 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312.
Title		OpenClaw Canvas Path Traversal Information Disclosure Vulnerability
Weaknesses		CWE-22
References		https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6 https://www.zerodayinitiative.com/advisories/ZDI-26-227/
Metrics		cvssV3_0 `{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Openclaw Openclaw

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-04-11T00:17:24.472Z

Updated: 2026-04-13T17:40:53.608Z

Reserved: 2026-03-07T01:52:31.328Z

Link: CVE-2026-3689

Vulnrichment

Updated: 2026-04-13T17:40:49.965Z

NVD

Status : Analyzed

Published: 2026-04-11T01:16:15.837

Modified: 2026-04-27T17:08:57.467

Link: CVE-2026-3689

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T12:56:51Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object