Common Weakness Enumeration

CWE-291

Allowed

Reliance on IP Address for Authentication

Abstraction: Variant · Status: Incomplete

The product uses an IP address for authentication.

19 vulnerabilities reference this CWE, most recent first.

GHSA-47V2-7QF3-926R

Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-10-03 00:31
VLAI
Details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an attacker on the same external L2 segment — or an attacker able to add routes using the appliance as a gateway — to reach container IPs directly. This grants access to internal services (HTTP APIs, Redis, MySQL, etc.) that are intended to be isolated inside the container network. Many of those services are accessible without authentication or are vulnerable to known exploitation chains. As a result, compromise of a single reachable endpoint or basic network access can enable lateral movement, remote code execution, data exfiltration, and full system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T19:15:41Z",
    "severity": "HIGH"
  },
  "details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an attacker on the same external L2 segment \u2014 or an attacker able to add routes using the appliance as a gateway \u2014 to reach container IPs directly. This grants access to internal services (HTTP APIs, Redis, MySQL, etc.) that are intended to be isolated inside the container network. Many of those services are accessible without authentication or are vulnerable to known exploitation chains. As a result, compromise of a single reachable endpoint or basic network access can enable lateral movement, remote code execution, data exfiltration, and full system compromise.",
  "id": "GHSA-47v2-7qf3-926r",
  "modified": "2025-10-03T00:31:01Z",
  "published": "2025-09-19T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34202"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-access-docker-instances-from-wan"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-access-to-docker-instances-wan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-55CF-6JJ6-233P

Vulnerability from github – Published: 2026-02-09 06:30 – Updated: 2026-03-05 15:30
VLAI
Details

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.

The web server accepts access by IP address. When a worm that randomly searches for IP addresses intrudes into the network, it could potentially be attacked by the worm.

The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-09T04:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.\n\n\n\nThe web server accepts\naccess by IP address. When a worm that randomly searches for IP addresses\nintrudes into the network, it could potentially be attacked by the worm.\n\n\n\nThe\naffected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to\nR10.04",
  "id": "GHSA-55cf-6jj6-233p",
  "modified": "2026-03-05T15:30:33Z",
  "published": "2026-02-09T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66602"
    },
    {
      "type": "WEB",
      "url": "https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-93G8-MGQC-W7H9

Vulnerability from github – Published: 2026-04-11 03:30 – Updated: 2026-04-11 03:30
VLAI
Details

OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-11T01:16:15Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.",
  "id": "GHSA-93g8-mgqc-w7h9",
  "modified": "2026-04-11T03:30:29Z",
  "published": "2026-04-11T03:30:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3690"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-228"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98GC-8MJ5-CC3R

Vulnerability from github – Published: 2023-09-05 03:30 – Updated: 2024-04-04 07:26
VLAI
Details

IBM Aspera Faspex 5.0.5 could allow a remote attacked to bypass IP restrictions due to improper access controls. IBM X-Force ID: 259649.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291",
      "CWE-345",
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-05T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "IBM Aspera Faspex 5.0.5 could allow a remote attacked to bypass IP restrictions due to improper access controls.  IBM X-Force ID:  259649.",
  "id": "GHSA-98gc-8mj5-cc3r",
  "modified": "2024-04-04T07:26:29Z",
  "published": "2023-09-05T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35906"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259649"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7029681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMC9-4F7F-VMQ2

Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-26 12:30
VLAI
Details

Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T10:16:07Z",
    "severity": "HIGH"
  },
  "details": "Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.",
  "id": "GHSA-fmc9-4f7f-vmq2",
  "modified": "2026-01-26T12:30:28Z",
  "published": "2026-01-26T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59101"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dkaccess"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dormakaba"
    },
    {
      "type": "WEB",
      "url": "https://www.dormakabagroup.com/en/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HX53-JCHX-CR52

Vulnerability from github – Published: 2024-05-30 12:35 – Updated: 2024-05-30 12:35
VLAI
Summary
Symfony2 improper IP based access control
Details

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();
// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();
// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19 Patch for Symfony 2.1.4

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-30T12:35:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).\n\nAn application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.\n\nTo fix this security issue, the following changes have been made to all versions of Symfony2:\n\nA new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:\n```\n// before (probably in your front controller script)\nRequest::trustProxyData();\n```\n```\n// after\nRequest::setTrustedProxies(array(\u00271.1.1.1\u0027));\n// 1.1.1.1 being the IP address of a trusted reverse proxy\n```\nThe Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):\n```\nRequest::trustProxyData();\n```\n```\n// is equivalent to\nRequest::setTrustedProxies(array($request-\u003eserver-\u003eget(\u0027REMOTE_ADDR\u0027)));\n```\nWe encourage all Symfony2 users to upgrade as soon as possible. It you don\u0027t want to upgrade to the latest version yet, you can also apply the following patches:\n\n[Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19\n[Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4",
  "id": "GHSA-hx53-jchx-cr52",
  "modified": "2024-05-30T12:35:51Z",
  "published": "2024-05-30T12:35:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/922c2015f61a7205180d423dce1f7365cc2d8460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/9ce892cf4395e73b136e9b5cd1fae9e91995c93b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/2012-11-29.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Symfony2 improper IP based access control"
}

GHSA-Q2Q4-JRR5-68RJ

Vulnerability from github – Published: 2024-10-30 15:30 – Updated: 2024-10-30 15:30
VLAI
Details

The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Attackers could spoof an IP address to gain unauthorized access without needing a session token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-30T14:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Attackers could spoof an IP address to gain unauthorized access without needing a session token.",
  "id": "GHSA-q2q4-jrr5-68rj",
  "modified": "2024-10-30T15:30:46Z",
  "published": "2024-10-30T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23309"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVJH-F6P9-5VCF

Vulnerability from github – Published: 2026-03-04 19:17 – Updated: 2026-03-04 19:17
VLAI
Summary
OpenClaw Canvas Authentication Bypass Vulnerability
Details

ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: OpenClaw - OpenClaw

-- VULNERABILITY DETAILS ------------------------ * Version tested: openclaw 2026.2.17 * Platform tested: macOS 26.3


Analysis

Description

The OpenClaw gateway's authorizeCanvasRequest() function implements an IP-based authentication fallback for canvas endpoints (/__openclaw__/a2ui/, /__openclaw__/canvas/, /__openclaw__/ws). When a WebSocket client authenticates from a private IP address, ALL subsequent HTTP requests from that same IP are granted canvas access without requiring their own authentication token.

In environments where multiple clients share a single IP address ��� corporate NAT, VPN concentrators, Kubernetes clusters, Docker host-mode networking ��� an unauthenticated attacker on the same network is granted full canvas access by virtue of sharing an IP with a legitimate authenticated client.

Root Cause

Three functions in src/gateway/server-http.ts create this vulnerability:

1. IP-matching function (line ~100)

function hasAuthorizedWsClientForIp(clients: Set<GatewayWsClient>, clientIp: string): boolean {
  for (const client of clients) {
    if (client.clientIp && client.clientIp === clientIp) {
      return true;
    }
  }
  return false;
}

This function checks if ANY connected WebSocket client shares the same IP. It does not verify that the HTTP request belongs to the same user, session, or browser as the WS client.

2. IP-based fallback in authorizeCanvasRequest (line ~109)

async function authorizeCanvasRequest(params: { ... }): Promise<GatewayAuthResult> {
  // ... token check first ...

  const clientIp = resolveGatewayClientIp({ ... });

  // Only allow fallback for private/loopback addresses
  if (!isPrivateOrLoopbackAddress(clientIp)) {
    return lastAuthFailure ?? { ok: false, reason: "unauthorized" };
  }

  // THE VULNERABILITY: grants access based on IP alone
  if (hasAuthorizedWsClientForIp(clients, clientIp)) {
    return { ok: true };
  }

  return lastAuthFailure ?? { ok: false, reason: "unauthorized" };
}

If the HTTP request comes from a private IP that matches any authenticated WS client, access is granted without verifying the request's own credentials.

3. Canvas path routing

function isCanvasPath(pathname: string): boolean {
  return (
    pathname === A2UI_PATH ||              // /__openclaw__/a2ui
    pathname.startsWith(`${A2UI_PATH}/`) ||
    pathname === CANVAS_HOST_PATH ||        // /__openclaw__/canvas
    pathname.startsWith(`${CANVAS_HOST_PATH}/`) ||
    pathname === CANVAS_WS_PATH            // /__openclaw__/ws
  );
}

All canvas endpoints use this weaker authentication path instead of the standard authorizeGatewayConnect() which requires a valid token.

Attack Scenario

Corporate NAT Environment

  1. A company runs an OpenClaw gateway on an internal server with --bind lan and a token for authentication.
  2. Developer Alice connects her OpenClaw desktop app via WebSocket using her valid token. The gateway records her IP as the corporate NAT address (e.g., 10.0.0.1).
  3. Attacker Bob, on the same corporate network, also appears as 10.0.0.1 to the gateway (NAT).
  4. Bob sends an HTTP request to http://gateway:18789/__openclaw__/a2ui/ with NO authentication header.
  5. authorizeCanvasRequest() checks: Is 10.0.0.1 a private IP? Yes. Is there a WS client from 10.0.0.1? Yes (Alice). Access granted.
  6. Bob now has full access to all canvas endpoints ��� the A2UI interface, canvas content, and the canvas WebSocket ��� without ever authenticating.

Kubernetes / Docker Environments

In containerized deployments using shared networking (host mode, pod networking), multiple containers share the same IP. One container's authentication enables canvas access for all containers on that IP.

Reproduction Steps

Prerequisites

  • Docker installed
  • Python 3
  • OpenClaw Docker image built as openclaw:local

Steps

  1. Navigate to the PoC directory and start the environment: bash cd vulnerabilities/04-canvas-ip-auth-bypass docker compose up -d --wait

  2. This starts two containers on a shared Docker network:

  3. Gateway (172.28.0.10): Token-protected OpenClaw gateway
  4. Legitimate client (172.28.0.20): Connects via WebSocket with valid token, establishing IP trust

  5. Wait a few seconds for the legitimate client to authenticate, then run the PoC: bash python3 poc.py

  6. The PoC runs three tests:

Test Source Source IP Token Result
1 ��� Host (different IP) Host machine Host bridge IP None 401 Unauthorized
2 ��� Host with token (control) Host machine Host bridge IP Valid 200 OK
3 ��� Same IP (exploit) docker exec into legit container 172.28.0.20 None 200 OK
  1. Test 3 is the exploit: poc.py uses docker exec to run an HTTP request from inside the legitimate client's container (IP 172.28.0.20) with no Authorization header. The gateway's authorizeCanvasRequest() matches the source IP against the authenticated WebSocket client and returns 200 OK ��� granting full canvas access without credentials.

  2. Cleanup: bash docker compose down -v

Impact

  • Authentication Bypass: Any unauthenticated client sharing an IP with a legitimate WS-authenticated client gains full canvas endpoint access.
  • Information Disclosure: Canvas endpoints serve:
  • The A2UI (Agent-to-User Interface) rendered content, which may contain sensitive data the AI agent is presenting to the user
  • The canvas HTML/JS application
  • The canvas WebSocket upgrade endpoint
  • Scope: Affects all deployments where the gateway is network-exposed (--bind lan) and clients share IP addresses (NAT, VPN, K8s, corporate networks).
  • No auth required: The attacker needs only network adjacency; no credentials, tokens, or user interaction.

-- CREDIT --------------------------------------- This vulnerability was discovered by: Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files: ZDI-CAN-29311.zip

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Zero Day Initiative zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI -------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contactZero Day Initiative for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Zero Day Initiative's vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Fix Commit(s)

  • c45f3c5b004c8d63dc0e282e2176f8c9355d24f1
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-291"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T19:17:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "ZDI-CAN-29311: OpenClaw Canvas Authentication Bypass Vulnerability\n\n-- ABSTRACT -------------------------------------\n\nTrend Micro\u0027s Zero Day Initiative has identified a vulnerability affecting the following products:\nOpenClaw - OpenClaw\n\n-- VULNERABILITY DETAILS ------------------------\n* Version tested: openclaw 2026.2.17\n* Platform tested: macOS 26.3\n\n---\n\n### Analysis\n\n## Description\n\nThe OpenClaw gateway\u0027s `authorizeCanvasRequest()` function implements an IP-based authentication fallback for canvas endpoints (`/__openclaw__/a2ui/`, `/__openclaw__/canvas/`, `/__openclaw__/ws`). When a WebSocket client authenticates from a private IP address, ALL subsequent HTTP requests from that same IP are granted canvas access without requiring their own authentication token.\n\nIn environments where multiple clients share a single IP address \ufffd\ufffd\ufffd corporate NAT, VPN concentrators, Kubernetes clusters, Docker host-mode networking \ufffd\ufffd\ufffd an unauthenticated attacker on the same network is granted full canvas access by virtue of sharing an IP with a legitimate authenticated client.\n\n## Root Cause\n\nThree functions in `src/gateway/server-http.ts` create this vulnerability:\n\n### 1. IP-matching function (line ~100)\n\n```typescript\nfunction hasAuthorizedWsClientForIp(clients: Set\u003cGatewayWsClient\u003e, clientIp: string): boolean {\n  for (const client of clients) {\n    if (client.clientIp \u0026\u0026 client.clientIp === clientIp) {\n      return true;\n    }\n  }\n  return false;\n}\n```\n\nThis function checks if ANY connected WebSocket client shares the same IP. It does not verify that the HTTP request belongs to the same user, session, or browser as the WS client.\n\n### 2. IP-based fallback in authorizeCanvasRequest (line ~109)\n\n```typescript\nasync function authorizeCanvasRequest(params: { ... }): Promise\u003cGatewayAuthResult\u003e {\n  // ... token check first ...\n\n  const clientIp = resolveGatewayClientIp({ ... });\n\n  // Only allow fallback for private/loopback addresses\n  if (!isPrivateOrLoopbackAddress(clientIp)) {\n    return lastAuthFailure ?? { ok: false, reason: \"unauthorized\" };\n  }\n\n  // THE VULNERABILITY: grants access based on IP alone\n  if (hasAuthorizedWsClientForIp(clients, clientIp)) {\n    return { ok: true };\n  }\n\n  return lastAuthFailure ?? { ok: false, reason: \"unauthorized\" };\n}\n```\n\nIf the HTTP request comes from a private IP that matches any authenticated WS client, access is granted without verifying the request\u0027s own credentials.\n\n### 3. Canvas path routing\n\n```typescript\nfunction isCanvasPath(pathname: string): boolean {\n  return (\n    pathname === A2UI_PATH ||              // /__openclaw__/a2ui\n    pathname.startsWith(`${A2UI_PATH}/`) ||\n    pathname === CANVAS_HOST_PATH ||        // /__openclaw__/canvas\n    pathname.startsWith(`${CANVAS_HOST_PATH}/`) ||\n    pathname === CANVAS_WS_PATH            // /__openclaw__/ws\n  );\n}\n```\n\nAll canvas endpoints use this weaker authentication path instead of the standard `authorizeGatewayConnect()` which requires a valid token.\n\n## Attack Scenario\n\n### Corporate NAT Environment\n\n1. A company runs an OpenClaw gateway on an internal server with `--bind lan` and a token for authentication.\n2. Developer Alice connects her OpenClaw desktop app via WebSocket using her valid token. The gateway records her IP as the corporate NAT address (e.g., `10.0.0.1`).\n3. Attacker Bob, on the same corporate network, also appears as `10.0.0.1` to the gateway (NAT).\n4. Bob sends an HTTP request to `http://gateway:18789/__openclaw__/a2ui/` with NO authentication header.\n5. `authorizeCanvasRequest()` checks: Is `10.0.0.1` a private IP? Yes. Is there a WS client from `10.0.0.1`? Yes (Alice). Access granted.\n6. Bob now has full access to all canvas endpoints \ufffd\ufffd\ufffd the A2UI interface, canvas content, and the canvas WebSocket \ufffd\ufffd\ufffd without ever authenticating.\n\n### Kubernetes / Docker Environments\n\nIn containerized deployments using shared networking (host mode, pod networking), multiple containers share the same IP. One container\u0027s authentication enables canvas access for all containers on that IP.\n\n## Reproduction Steps\n\n### Prerequisites\n- Docker installed\n- Python 3\n- OpenClaw Docker image built as `openclaw:local`\n\n### Steps\n\n1. Navigate to the PoC directory and start the environment:\n   ```bash\n   cd vulnerabilities/04-canvas-ip-auth-bypass\n   docker compose up -d --wait\n   ```\n\n2. This starts two containers on a shared Docker network:\n   - **Gateway** (172.28.0.10): Token-protected OpenClaw gateway\n   - **Legitimate client** (172.28.0.20): Connects via WebSocket with valid token, establishing IP trust\n\n3. Wait a few seconds for the legitimate client to authenticate, then run the PoC:\n   ```bash\n   python3 poc.py\n   ```\n\n4. The PoC runs three tests:\n\n   | Test | Source | Source IP | Token | Result |\n   |------|--------|-----------|-------|--------|\n   | 1 \ufffd\ufffd\ufffd Host (different IP) | Host machine | Host bridge IP | None | **401 Unauthorized** |\n   | 2 \ufffd\ufffd\ufffd Host with token (control) | Host machine | Host bridge IP | Valid | **200 OK** |\n   | 3 \ufffd\ufffd\ufffd **Same IP (exploit)** | **docker exec into legit container** | **172.28.0.20** | **None** | **200 OK** |\n\n5. Test 3 is the exploit: `poc.py` uses `docker exec` to run an HTTP request from inside the legitimate client\u0027s container (IP 172.28.0.20) with **no** `Authorization` header. The gateway\u0027s `authorizeCanvasRequest()` matches the source IP against the authenticated WebSocket client and returns `200 OK` \ufffd\ufffd\ufffd granting full canvas access without credentials.\n\n6. Cleanup:\n   ```bash\n   docker compose down -v\n   ```\n\n## Impact\n\n- **Authentication Bypass**: Any unauthenticated client sharing an IP with a legitimate WS-authenticated client gains full canvas endpoint access.\n- **Information Disclosure**: Canvas endpoints serve:\n  - The A2UI (Agent-to-User Interface) rendered content, which may contain sensitive data the AI agent is presenting to the user\n  - The canvas HTML/JS application\n  - The canvas WebSocket upgrade endpoint\n- **Scope**: Affects all deployments where the gateway is network-exposed (`--bind lan`) and clients share IP addresses (NAT, VPN, K8s, corporate networks).\n- **No auth required**: The attacker needs only network adjacency; no credentials, tokens, or user interaction.\n\n\n\n-- CREDIT ---------------------------------------\nThis vulnerability was discovered by:\nPeter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative\n\n-- FURTHER DETAILS ------------------------------\n\nSupporting files: \n[ZDI-CAN-29311.zip](https://github.com/user-attachments/files/25445235/ZDI-CAN-29311.zip)\n\n\nIf supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.\n\nZero Day Initiative\nzdi-disclosures@trendmicro.com\n\nThe PGP key used for all ZDI vendor communications is available from:\n\n  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc\n\n-- INFORMATION ABOUT THE ZDI --------------------\nEstablished by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.\n\nPlease contactZero Day Initiative for further details or refer to:\n\n  http://www.zerodayinitiative.com\n\n-- DISCLOSURE POLICY ----------------------------\n\nZero Day Initiative\u0027s vulnerability disclosure policy is available online at:\n\n  http://www.zerodayinitiative.com/advisories/disclosure_policy/\n    \n\n## Fix Commit(s)\n- `c45f3c5b004c8d63dc0e282e2176f8c9355d24f1`",
  "id": "GHSA-vvjh-f6p9-5vcf",
  "modified": "2026-03-04T19:17:36Z",
  "published": "2026-03-04T19:17:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c45f3c5b004c8d63dc0e282e2176f8c9355d24f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw Canvas Authentication Bypass Vulnerability"
}

GHSA-VXFG-523G-29HW

Vulnerability from github – Published: 2024-01-07 12:30 – Updated: 2024-01-07 12:30
VLAI
Details

A vulnerability was found in Uniway Router 2.0. It has been declared as critical. This vulnerability affects unknown code of the component Administrative Web Interface. The manipulation leads to reliance on ip address for authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-249766 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-291"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-07T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Uniway Router 2.0. It has been declared as critical. This vulnerability affects unknown code of the component Administrative Web Interface. The manipulation leads to reliance on ip address for authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-249766 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-vxfg-523g-29hw",
  "modified": "2024-01-07T12:30:30Z",
  "published": "2024-01-07T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7211"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/11thSuALGcn0C_9tbmYu8_QzTXtBnCoNS/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.249766"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.249766"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

CAPEC-4: Using Alternative IP Address Encodings

This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.