Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw's sandbox browser lacks authentication for noVNC observer sessions
GHSA-25gx-x37c-7pph
Summary
The OpenClaw sandbox browser does not require a password for noVNC observer sessions, which means an unauthorized user with access to the local network could gain unauthorized access to the browser. This issue affects OpenClaw versions 2026.2.19 and earlier. To fix this, OpenClaw has updated the sandbox browser to require a password for noVNC observer sessions and has changed how it handles observer authentication. To protect your system, rebuild the sandbox browser image and recreate browser containers.
What to do
- Update openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw's andbox browser noVNC observer lacked VNC authentication
Original description
The sandbox browser entrypoint launched `x11vnc` without authentication (`-nopw`) for noVNC observer sessions.
OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (`127.0.0.1`), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).
## Affected Packages / Versions
- Package: `docker/openclaw`
- Affected: `<= 2026.2.19-2`
- Patched: `>= 2026.2.21`
## Technical details
- `scripts/sandbox-browser-entrypoint.sh` used `x11vnc ... -nopw` for noVNC observer flow.
- `websockify` exposed noVNC for the container listener.
- OpenClaw runtime (`src/agents/sandbox/browser.ts`) already mapped host publish to loopback, but observer auth was missing.
## Fix
- Require VNC password auth in the sandbox browser entrypoint (`x11vnc -rfbauth`), replacing `-nopw`.
- Generate per-container noVNC password in runtime and inject `OPENCLAW_BROWSER_NOVNC_PASSWORD`.
- Emit short-lived noVNC observer token URLs instead of sharing raw noVNC passwords in shared URLs.
- Keep loopback-only host port publish and bump sandbox browser security hash epoch.
- Add security audit findings for sandbox browser containers that publish ports on non-loopback interfaces.
Operational note: rebuild the sandbox browser image and recreate browser containers so existing containers pick up the fix.
## Fix Commit(s)
- `621d8e1312482f122f18c43c72c67211b141da01`
- `8c1518f0f3e0533593cd2dec3a46c9b746753661`
## Release Process Note
Patched version is pre-set to the planned next release (`2026.2.21`). After npm release, this advisory can be published without further field edits.
OpenClaw thanks @TerminalsandCoffee for reporting.
OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (`127.0.0.1`), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).
## Affected Packages / Versions
- Package: `docker/openclaw`
- Affected: `<= 2026.2.19-2`
- Patched: `>= 2026.2.21`
## Technical details
- `scripts/sandbox-browser-entrypoint.sh` used `x11vnc ... -nopw` for noVNC observer flow.
- `websockify` exposed noVNC for the container listener.
- OpenClaw runtime (`src/agents/sandbox/browser.ts`) already mapped host publish to loopback, but observer auth was missing.
## Fix
- Require VNC password auth in the sandbox browser entrypoint (`x11vnc -rfbauth`), replacing `-nopw`.
- Generate per-container noVNC password in runtime and inject `OPENCLAW_BROWSER_NOVNC_PASSWORD`.
- Emit short-lived noVNC observer token URLs instead of sharing raw noVNC passwords in shared URLs.
- Keep loopback-only host port publish and bump sandbox browser security hash epoch.
- Add security audit findings for sandbox browser containers that publish ports on non-loopback interfaces.
Operational note: rebuild the sandbox browser image and recreate browser containers so existing containers pick up the fix.
## Fix Commit(s)
- `621d8e1312482f122f18c43c72c67211b141da01`
- `8c1518f0f3e0533593cd2dec3a46c9b746753661`
## Release Process Note
Patched version is pre-set to the planned next release (`2026.2.21`). After npm release, this advisory can be published without further field edits.
OpenClaw thanks @TerminalsandCoffee for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-287
Improper Authentication
CWE-862
Missing Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026