CVE-2026-32064

7.7 HIGH
Published: March 21, 2026 Modified: March 24, 2026
View on NVD

Description

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01
Source: disclosure@vulncheck.com
Patch
https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661
Source: disclosure@vulncheck.com
Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph
Source: disclosure@vulncheck.com
Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer
Source: disclosure@vulncheck.com
Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.7 / 10.0
EPSS (Exploit Probability)
0.1%
26th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-306

Affected Vendors

openclaw

Related CVEs

CVE-2026-6579 6.5
CVE-2026-6578 5.6
CVE-2026-6577 7.3
CVE-2026-6576 6.3
CVE-2026-6574 7.3