Description
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.
Published: 2026-05-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2026-43575 is an authentication bypass that allows an attacker to reach the sandbox noVNC helper route without satisfying the required bridge authentication. Once accessed, the route exposes credentials for the interactive browser session, giving the attacker full control over that session. The flaw is classified as CWE-862, reflecting an authorization bypass where privileged access is granted to an unauthenticated user. The impact is a loss of confidentiality and integrity of user sessions and the potential for further lateral movement within the environment.

Affected Systems

All OpenClaw releases prior to 2026.4.10, including the 2026.2.21 build, are affected. The OpenClaw product contains the sandbox noVNC helper route that is vulnerable when these older versions are deployed.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity. EPSS is unavailable, and the vulnerability is not listed in CISA KEV, so the actual exploitation probability is unknown. The attack vector is via unauthenticated HTTP requests to the noVNC helper endpoint, which can be performed by any entity with network access to the route, either remotely or from an internal host.

Generated by OpenCVE AI on May 6, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.10 or later.
  • If an upgrade is not possible, restrict access to the noVNC helper route with firewall or reverse‑proxy rules so that only trusted hosts can reach it.
  • If the noVNC helper route is unnecessary, disable it entirely or enforce additional authentication such as a reverse‑proxy authentication layer to protect the endpoint.

Generated by OpenCVE AI on May 6, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.
Title OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T13:52:13.633Z

Reserved: 2026-05-01T16:58:23.117Z

Link: CVE-2026-43575

cve-icon Vulnrichment

Updated: 2026-05-07T13:51:44.060Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T20:16:33.100

Modified: 2026-05-06T21:21:14.220

Link: CVE-2026-43575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:14Z

Weaknesses