GHSA-25gx-x37c-7pph: OpenClaw's andbox browser noVNC observer lacked VNC authentication

March 3, 2026

The sandbox browser entrypoint launched x11vnc without authentication (-nopw) for noVNC observer sessions.

OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (127.0.0.1), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).

References

github.com/advisories/GHSA-25gx-x37c-7pph
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01
github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661
github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph

Code Behaviors & Features

Detect and mitigate GHSA-25gx-x37c-7pph with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →