HIGHCVE-2026-32064Published 2026-03-21Modified 2026-03-23CNA VulnCheck

CVE-2026-32064: OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 2026.2.21
Affected Products: 1

Fix available

2026.2.21

Patch commits

Patch Commit #1
Patch Commit #2

Affected packages

OpenClaw / OpenClaw
< 2026.2.21 (from 0)
Fixed in 2026.2.21

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-25gx-x37c-7pph)
Patch Commit #1
Patch Commit #2
VulnCheck Advisory: OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

Metrics

Fix available