What is CVE-2026-43575?

CVE-2026-43575 is a critical-severity vulnerability in Openclaw, classified under Missing Authorization. CVSS score: 9.8/10. Published 2026-05-06.

How severe is CVE-2026-43575?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Openclaw

CVE-2026-43575

OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge…

Vulnerability class: Broken Access Control

EPSS: 0.001 (34.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 2026.2.21, 2026.4.10

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

Patch Commit (Patch, patch)
GitHub Security Advisory (GHSA-92jp-89mq-4374) (vendor-advisory, Mitigation, Vendor Advisory)
VulnCheck Advisory: OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-43575?: CVE-2026-43575 is a critical-severity vulnerability in Openclaw, classified under Missing Authorization. CVSS score: 9.8/10. Published 2026-05-06.
How severe is CVE-2026-43575?: Critical severity. CVSS v3 base score is 9.8 out of 10.