PT-2026-25452 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
Summary
This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries.
Deployment Context
OpenClaw’s default model is trusted host + loopback-first access. Some operators intentionally expose canvas routes on LAN/tailnet. This update is aimed at those broader deployment patterns.
What Changed
- Require explicit token or session-capability authorization for canvas routes.
- Remove shared-IP fallback paths for canvas access.
- Tighten bind/fallback behavior to fail closed.
Impact
Risk was highest in non-loopback or mixed-trust environments. In strict single-operator trusted-host setups, practical exposure is lower.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable:
<= 2026.2.19-2 - Patched:
2026.2.21(next release target)
Fix Commit(s)
c45f3c5b004c8d63dc0e282e2176f8c9355d24f108a7967936cfc0b2af6b27ec1f9272542648ad6c
Thanks @NucleiAv for reporting.
Fix
XSS
Clickjacking
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw