Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32064

OpenClaw's andbox browser noVNC observer lacked VNC authentication
Back to all
CVE

CVE-2026-32064

OpenClaw's andbox browser noVNC observer lacked VNC authentication

The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions.

OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).

Affected Packages / Versions

  • Package: docker/openclaw
  • Affected: <= 2026.2.19-2
  • Patched: >= 2026.2.21

Technical details

  • scripts/sandbox-browser-entrypoint.sh used x11vnc ... -nopw for noVNC observer flow.
  • websockify exposed noVNC for the container listener.
  • OpenClaw runtime (src/agents/sandbox/browser.ts) already mapped host publish to loopback, but observer auth was missing.

Fix

  • Require VNC password auth in the sandbox browser entrypoint (x11vnc -rfbauth), replacing -nopw.
  • Generate per-container noVNC password in runtime and inject OPENCLAWBROWSERNOVNC_PASSWORD.
  • Emit short-lived noVNC observer token URLs instead of sharing raw noVNC passwords in shared URLs.
  • Keep loopback-only host port publish and bump sandbox browser security hash epoch.
  • Add security audit findings for sandbox browser containers that publish ports on non-loopback interfaces.

Operational note: rebuild the sandbox browser image and recreate browser containers so existing containers pick up the fix.

Fix Commit(s)

  • 621d8e1312482f122f18c43c72c67211b141da01
  • 8c1518f0f3e0533593cd2dec3a46c9b746753661

Release Process Note

Patched version is pre-set to the planned next release (2026.2.21). After npm release, this advisory can be published without further field edits.

OpenClaw thanks @TerminalsandCoffee for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.5
-
4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
7.7
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph, https://nvd.nist.gov/vuln/detail/CVE-2026-32064, https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01, https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer

Severity

7.7

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.7
EPSS Probability
0.0003%
EPSS Percentile
0.08758%
Introduced Version
0,2026.2.6-1,2026.2.2,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.14-1,2026.1.4
Fix Available
2026.2.21

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading