CVE-2026-32064

Published: Mar 21, 2026 Last Modified: Mar 21, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 7,7

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

306

Missing Authentication for Critical Function

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Other

Potential Impacts:

Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Cloud Computing, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://github.com/openclaw/openclaw/commit/621d8e1312482f1…

https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b14…

https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533…

https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b7467…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph

https://www.vulncheck.com/advisories/openclaw-missing-vnc-a…

https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-san…