High severityNVD Advisory· Published Mar 21, 2026· Updated Mar 23, 2026
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer
CVE-2026-32064
Description
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.21 | 2026.2.21 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01ghsapatchWEB
- github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661ghsapatchWEB
- github.com/advisories/GHSA-25gx-x37c-7pphghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pphghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32064ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observerghsathird-party-advisoryWEB
News mentions
0No linked articles in our index yet.