CVE-2026-32064: OpenClaw's andbox browser noVNC observer lacked VNC authentication
(updated )
The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions.
OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).
References
- github.com/advisories/GHSA-25gx-x37c-7pph
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01
- github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661
- github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph
- nvd.nist.gov/vuln/detail/CVE-2026-32064
- www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer
Code Behaviors & Features
Detect and mitigate CVE-2026-32064 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →