Missing Authentication for Critical Function in OpenClaw - CVE-2026-32064
Published: May 1, 2026
Vulnerability identifier: #VU128843
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32064
CWE-ID: CWE-306
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local attacker to access the noVNC observer session without authentication.
The vulnerability exists due to missing authentication for a critical function in x11vnc noVNC observer sessions when launching the sandbox browser entrypoint. A local attacker can connect to the exposed VNC service to access the noVNC observer session without authentication.
By default, the noVNC port is published only to host loopback, unless operators expose it more broadly or run the image standalone with broad port publishing.
How to mitigate CVE-2026-32064
Install security update from vendor's website.