CVE-2026-32064
Published: 21 March 2026
Summary
CVE-2026-32064 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique VNC (T1021.005); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-41 (Port and I/O Device Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly identifies and limits permitted actions without identification or authentication, directly preventing the unauthenticated launch and access to the x11vnc noVNC interface.
SI-2 requires timely flaw remediation, directly addressing this CVE through patching OpenClaw to version 2026.2.21 or later which fixes the missing authentication.
SC-41 restricts access to specific ports, protocols, and services, preventing unauthorized connections to the exposed noVNC port on the loopback interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on the x11vnc/noVNC interface directly enables unauthorized VNC remote service access (T1021.005) to the sandboxed browser over loopback.
NVD Description
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or…
more
interact with the sandbox browser without credentials.
Deeper analysisAI
CVE-2026-32064 is a missing authentication vulnerability (CWE-306) affecting OpenClaw versions prior to 2026.2.21. The issue resides in the sandbox browser entrypoint, which launches the x11vnc server without authentication for noVNC observer sessions. This exposes the VNC interface via an unauthenticated noVNC port bound to the host loopback interface, enabling unauthorized access to the sandboxed browser environment. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-03-21.
An attacker with access to the host's loopback interface can exploit this vulnerability remotely over localhost by connecting directly to the exposed noVNC port without credentials. No privileges or user interaction are required, and exploitation is low complexity. Successful attacks allow the adversary to observe or interact with the sandbox browser session, potentially compromising high confidentiality and integrity by viewing or manipulating browser content within the sandbox.
Mitigation is available via patches in OpenClaw version 2026.2.21 and later, as detailed in GitHub commits 621d8e1312482f122f18c43c72c67211b141da01 and 8c1518f0f3e0533593cd2dec3a46c9b746753661. Security practitioners should review the OpenClaw security advisory at GHSA-25gx-x37c-7pph and the VulnCheck advisory at vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer for full remediation guidance, including upgrading affected installations.
Details
- CWE(s)