GHSA-cxcw-jm67-3wwp

Suggest an improvement
Source
https://github.com/advisories/GHSA-cxcw-jm67-3wwp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cxcw-jm67-3wwp/GHSA-cxcw-jm67-3wwp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cxcw-jm67-3wwp
Withdrawn
2026-03-24T19:06:52Z
Published
2026-03-21T03:31:14Z
Modified
2026-03-24T19:17:19.260051Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:06:52Z",
    "cwe_ids": [
        "CWE-306"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-03-21T01:17:09Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-cxcw-jm67-3wwp/GHSA-cxcw-jm67-3wwp.json"
last_known_affected_version_range 
"< 2026.2.21"