OpenClaw Canvas Security: Restricting IP-Based Auth to Private Networks

A security fix closes a potential attack vector in OpenClaw's canvas feature, restricting IP-based authentication to trusted local networks only.

Contributor

Yi Liu — Security-focused contributor to OpenClaw. This fix is part of an ongoing effort to harden OpenClaw's network-facing components as adoption grows. GitHub →

The Vulnerability

OpenClaw's canvas feature allows agents to render and interact with visual content — think of it as a way for your AI assistant to "see" and manipulate web pages, documents, or custom UIs. This powerful capability requires careful security boundaries.

The issue: canvas IP-based authentication was accepting connections from any IP address, not just private/local networks. In certain deployment configurations, this could allow unauthorized access from external networks.

Attack Vector: If an OpenClaw instance was exposed to the internet (intentionally or accidentally) with canvas enabled, an attacker could potentially interact with the canvas endpoints using IP-based authentication, bypassing other auth mechanisms.

The Fix

PR #14661 restricts canvas IP-based authentication to RFC 1918 private network ranges only:

// Now restricted to private networks only:
- 10.0.0.0/8
- 172.16.0.0/12  
- 192.168.0.0/16
- 127.0.0.0/8 (localhost)
- ::1 (IPv6 localhost)

Connections from public IP addresses now require proper token-based authentication, regardless of other configuration settings.

Why This Matters

This fix reflects OpenClaw's transition from "hobbyist tool" to "production infrastructure." Early in a project's lifecycle, convenience features like IP-based auth help with development and testing. As adoption grows, these same features become attack surfaces.

The security implications are particularly relevant because:

Canvas has elevated privileges: It can render arbitrary content and execute JavaScript in a controlled environment
Deployment patterns are changing: OpenClaw instances are increasingly running on VPS, containers, and cloud infrastructure — not just local developer machines
Enterprise interest is growing: Organizations evaluating OpenClaw need assurance that network-facing components have proper security controls

Part of a Larger Pattern

This fix arrives alongside several other security-focused changes in today's commits:

fix: allow device-paired clients to retrieve TTS API keys (#14613) — tightening API key access controls
fix(configure): reject literal "undefined" and "null" gateway auth tokens (#13767) — input validation hardening
fix: classify /tools/invoke errors and sanitize 500s (#13185) — preventing information leakage through error messages

The pattern suggests a coordinated security review or a systematic hardening effort as OpenClaw approaches a new release milestone.

🛡️ Implications for Users

Update recommended: If you're running OpenClaw with canvas enabled in a networked environment, update to get this fix
Deployment audit: This is a good reminder to review your OpenClaw instance's network exposure — is it properly firewalled?
Enterprise signal: Security fixes like this demonstrate the project is maturing toward enterprise-readiness
No action needed for local: If you're running OpenClaw purely on localhost, this change is transparent to you

Technical Details

The implementation checks the request source IP against private network ranges before allowing IP-based authentication to proceed:

function isPrivateNetwork(ip: string): boolean {
  // IPv4 private ranges
  if (ip.match(/^10\./)) return true;
  if (ip.match(/^172\.(1[6-9]|2[0-9]|3[0-1])\./)) return true;
  if (ip.match(/^192\.168\./)) return true;
  if (ip.match(/^127\./)) return true;
  
  // IPv6 localhost
  if (ip === '::1') return true;
  
  return false;
}

This is a defense-in-depth measure — proper token-based authentication should be the primary mechanism, with IP-based auth as a convenience layer for trusted local development environments.

Source github.com/openclaw/openclaw/commit/14fc742 — fix(security): restrict canvas IP-based auth to private networks (#14661)