CVE-2026-32064

HIGH

OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

Title source: cna

Description

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

References (4)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph

[Patch] https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01

[Patch] https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer

Scores

CVSS v3 7.7

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (4)

npm/openclaw 0 - 2026.2.21npm

OpenClaw/OpenClaw < 2026.2.21

openclaw/openclaw < 2026.2.21

OpenClaw/OpenClaw 2026.2.21

Published Mar 21, 2026

Tracked Since Mar 21, 2026