What is CVE-2026-32064?

CVE-2026-32064 is a high-severity vulnerability in Openclaw, classified under Missing Authentication for Critical Function. CVSS score: 7.7/10. Published 2026-03-21.

How severe is CVE-2026-32064?

High severity. CVSS v3 base score is 7.7 out of 10.

Auth bypass in Openclaw

CVE-2026-32064

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can c…

Vulnerability class: Broken Authentication

EPSS: 0.000 (9.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Openclaw — versions 0, 2026.2.21

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

GitHub Security Advisory (GHSA-25gx-x37c-7pph) (third-party-advisory)
Patch Commit #1 (patch)
Patch Commit #2 (patch)
VulnCheck Advisory: OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer (third-party-advisory)

Frequently asked questions

What is CVE-2026-32064?: CVE-2026-32064 is a high-severity vulnerability in Openclaw, classified under Missing Authentication for Critical Function. CVSS score: 7.7/10. Published 2026-03-21.
How severe is CVE-2026-32064?: High severity. CVSS v3 base score is 7.7 out of 10.