Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-43575

OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.

View on NVD

Analysis

OpenClaw appears to be a specialized tool for browser sandboxing and VNC-based testing environments. While the CVSS score is critical due to a pre-authentication bypass that exposes session credentials, the software lacks the widespread deployment in the common MexicoDev stack to justify a general alert.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-862

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.

Published: 5/6/2026, 8:16:33 PM
Last modified: 5/6/2026, 9:21:14 PM

References

HomeEventsBlogResourcesTeam