cbcvebase.
CVE-2026-32064
published 2026-03-21

CVE-2026-32064: OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated…

PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.51%
39.8th percentile
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.212026.2.21
openclawopenclaw>= 0 < 2026.2.212026.2.21

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated x11vnc process launched by the OpenClaw sandbox browser entrypoint — look for x11vnc running without authentication flags (e.g., missing -usepw, -passwd, or -rfbauth arguments)
  • Monitor for inbound connections to the noVNC port on the host loopback interface originating from unexpected remote sources, which may indicate exploitation of the unauthenticated VNC exposure
  • ·Vulnerability only affects OpenClaw (formerly Moltbot or Clawdbot) versions prior to 2026.2.21; versions 2026.2.21 and later are not affected
  • ·The attack surface is limited to the host loopback interface; however, any process or user with loopback access on the host can exploit the unauthenticated noVNC port without credentials

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.5HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.