CVE-2026-32064

HIGH

OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

Title source: cna

Description

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

References (4)

Core 4

Core References

Third Party Advisory third-party-advisory

GitHub Security Advisory (GHSA-25gx-x37c-7pph)

https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph

Patch patch

Patch Commit #1

https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01

View Patch ZIP pw:eip

Patch patch

Patch Commit #2

https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer

Scores

CVSS v3 7.7

EPSS 0.0051

EPSS Percentile 39.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (4)

npm/openclaw 0 - 2026.2.21npm

OpenClaw/OpenClaw < 2026.2.21

openclaw/openclaw < 2026.2.21

OpenClaw/OpenClaw 2026.2.21

Published Mar 21, 2026

Tracked Since Mar 21, 2026